From owner-freebsd-questions@FreeBSD.ORG Sun Mar 16 08:17:02 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9981B1065683 for ; Sun, 16 Mar 2008 08:17:02 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from mail.freebsd-corp-net-guide.com (mail.freebsd-corp-net-guide.com [65.75.192.90]) by mx1.freebsd.org (Postfix) with ESMTP id 599F98FC26 for ; Sun, 16 Mar 2008 08:17:02 +0000 (UTC) (envelope-from tedm@toybox.placo.com) Received: from TEDSDSK (nat-rtr.freebsd-corp-net-guide.com [65.75.197.130]) by mail.freebsd-corp-net-guide.com (8.13.8/8.13.8) with SMTP id m2G8GwGG085366; Sun, 16 Mar 2008 01:17:01 -0700 (PDT) (envelope-from tedm@toybox.placo.com) From: "Ted Mittelstaedt" To: "Doug Poland" , Date: Sun, 16 Mar 2008 00:18:12 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1914 In-Reply-To: <9587.208.49.58.254.1205349581.squirrel@email.polands.org> Importance: Normal X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (mail.freebsd-corp-net-guide.com [65.75.192.90]); Sun, 16 Mar 2008 01:17:01 -0700 (PDT) Cc: Subject: RE: Best practice: sendmail and SMTP auth X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Mar 2008 08:17:02 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Doug Poland > Sent: Wednesday, March 12, 2008 11:20 AM > To: questions@freebsd.org > Subject: Best practice: sendmail and SMTP auth > > > Hello, > > Not sure if this is the most appropriate place for this question, but > since all my servers are FreeBSD 6.x/7.x, I'll give it a go... > > I am considering setting up SMTP auth on a number of sendmail > instances that I control. After much googling and reading, it is not > clear to me that a server with SMTP auth configured/enabled can relay > mail in both auth and non-auth modes. > Some of the explanations posted have been Rube Goldberg in the extreme, greatly complicating what should have been a very simple response. A standard FreeBSD server determines relaying through use of the access.db file, as you probably already are aware. If you add in SMTP-auth then the ONLY change is that any client that authenticates in, is exempted from checking the access.db file - by default, they are allowed to relay. It is not necessary to turn on an encrypted channel for SMTP-auth. In fact, the most popular mail clients under Windows - Outlook, only support NTLM encryption on authentication which REQUIRES that the password be in cleartext on the mailserver. OR, you can use SSL encryption for Outlook - however it will require a (costly) commerically-rooted certificate on the server to do SSL or your mail clients won't encrypt without a lot of nasty mucking around on the user's side to install a self-signed root cert in their clients. As for 587, by default sendmail will allow auth on either port 25 or 587 and will allow non-encrypted auth on port 587. The fact of the matter is that the most secure way of running a production setup is to use a completely separate mailserver for AUTH-smtp and to use DIFFERENT userID's/passwords on that server than on the primary mailserver. That way spammers that discover the users e-mail address (which for most ISP's is the same as the userID account) cannot launch dictionary attacks against the SMTP-auth server. And, attackers that sniff a cleartext password on the SMTP-auth channel cannot use that userID to spam the mailserver. Ted