Greetings,
I'm refining a CentOs configuration installation, now just over one month old running on a colocated production server. Previously, we ran a version of Fedora for over seven years.
Specifically, I'm reviewing our sendmail configuration, both with respect to authentication and port usage.
Previously, we had the following line in the sendmail.mc line: define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
To authenticate, users would first have to POP their mail.
A klunky script would scan appropriate log files and copy relevant IP addresses to the /etc/mail/access file that would be regenerated every 5 minutes via cron.
Once the IP address was in the /etc/mail/access.db a user could be authenticated and be allowed to send email using the machine as smtp.
Is there a better way of doing this?
Port 587 issues: Verizon DSL filters out requests on port 25 to smtp servers not belonging to verizon.net. An alternative is to use port 587 for smtp purposes.
Are there any views in this CentOs user community on this?
Much thanks.
Max Pyziur pyz@brama.com
Am 25.06.2011 23:50, schrieb Max Pyziur:
Greetings,
I'm refining a CentOs configuration installation, now just over one month old running on a colocated production server. Previously, we ran a version of Fedora for over seven years.
Specifically, I'm reviewing our sendmail configuration, both with respect to authentication and port usage.
Previously, we had the following line in the sendmail.mc line: define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Though defined, you seem not to have made use of it; no SMTP AUTH in your description of the previous setup.
To authenticate, users would first have to POP their mail.
A klunky script would scan appropriate log files and copy relevant IP addresses to the /etc/mail/access file that would be regenerated every 5 minutes via cron.
Once the IP address was in the /etc/mail/access.db a user could be authenticated and be allowed to send email using the machine as smtp.
That sounds as a poor version of POP-before-SMTP. Which mechanism deletes the IP from the access_db?
By no means SMTP AUTH was used, just plain relay permission based on the access_db.
Is there a better way of doing this?
Definitely.
Port 587 issues: Verizon DSL filters out requests on port 25 to smtp servers not belonging to verizon.net. An alternative is to use port 587 for smtp purposes.
Are there any views in this CentOs user community on this?
Yes, configure SMTP AUTH and offer the submission service to the users. Everything is prepared and documented within the sendmail.mc CentOS ships with. You just have to think about which backend SASL shall use to verify auth credentials.
Much thanks.
Max Pyziur pyz@brama.com
Alexander
Am 25.06.2011 23:50, schrieb Max Pyziur:
Greetings,
I'm refining a CentOs configuration installation, now just over one month old running on a colocated production server. Previously, we ran a version of Fedora for over seven years.
Specifically, I'm reviewing our sendmail configuration, both with respect to authentication and port usage.
Previously, we had the following line in the sendmail.mc line: define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Though defined, you seem not to have made use of it; no SMTP AUTH in your description of the previous setup.
To authenticate, users would first have to POP their mail.
A klunky script would scan appropriate log files and copy relevant IP addresses to the /etc/mail/access file that would be regenerated every 5 minutes via cron.
Once the IP address was in the /etc/mail/access.db a user could be authenticated and be allowed to send email using the machine as smtp.
That sounds as a poor version of POP-before-SMTP. Which mechanism deletes the IP from the access_db?
By no means SMTP AUTH was used, just plain relay permission based on the access_db.
Is there a better way of doing this?
Definitely.
Port 587 issues: Verizon DSL filters out requests on port 25 to smtp servers not belonging to verizon.net. An alternative is to use port 587 for smtp purposes.
Are there any views in this CentOs user community on this?
Yes, configure SMTP AUTH and offer the submission service to the users. Everything is prepared and documented within the sendmail.mc CentOS ships with. You just have to think about which backend SASL shall use to verify auth credentials.
Much thanks.
Max Pyziur pyz@brama.com
Alexander
On Sun, 26 Jun 2011, Alexander Dalloz wrote:
Am 25.06.2011 23:50, schrieb Max Pyziur:
Greetings,
I'm refining a CentOs configuration installation, now just over one month old running on a colocated production server. Previously, we ran a version of Fedora for over seven years.
Specifically, I'm reviewing our sendmail configuration, both with respect to authentication and port usage.
Previously, we had the following line in the sendmail.mc line: define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Though defined, you seem not to have made use of it; no SMTP AUTH in your description of the previous setup.
To authenticate, users would first have to POP their mail.
A klunky script would scan appropriate log files and copy relevant IP addresses to the /etc/mail/access file that would be regenerated every 5 minutes via cron.
Once the IP address was in the /etc/mail/access.db a user could be authenticated and be allowed to send email using the machine as smtp.
That sounds as a poor version of POP-before-SMTP. Which mechanism deletes the IP from the access_db?
It is a POP-before-SMTP, poor or otherwise.
The IPs in access_db are taken from the /var/log/maillog file. They effectively get "deleted" by way of the logrotate function (weekly and monthly).
IPs in the /etc/mail/access.db are based on the current /var/log/maillog file. Once the /var/log/maillog file is rotated (4am Sunday), the added IPs disappear.
By no means SMTP AUTH was used, just plain relay permission based on the access_db.
Is there a better way of doing this?
Definitely.
I'm open to suggestions. Currently, I'm running on a default CentOs-Sendmail configuration.
Port 587 issues: Verizon DSL filters out requests on port 25 to smtp servers not belonging to verizon.net. An alternative is to use port 587 for smtp purposes.
Are there any views in this CentOs user community on this?
Yes, configure SMTP AUTH and offer the submission service to the users. Everything is prepared and documented within the sendmail.mc CentOS ships with. You just have to think about which backend SASL shall use to verify auth credentials.
Much thanks.
Max Pyziur pyz@brama.com
[recycle]
Alexander
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Max Pyziur pyz@brama.com wrote:
Are there any views in this CentOs user community on [using port 587]?
Yes. Not only is enabling 'submission' a good idea, but you should also enable 'smtps' (which is different from smtp+tls):
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
To authenticate, users would first have to POP their mail.
Is there a better way of doing this?
As others have said, yes. Details:
Have the users do authentication over smtp+tls, submission, or smtps (you should enable all three and let the users pick as the optimal solution varies with email client).
To do this safely, you *must* ensure that you only permit someone to authenticate if they're on an encrypted session.
define(`confAUTH_OPTIONS', `A,p,y')dnl TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl define(`confTLS_SRV_OPTIONS', `V')dnl FEATURE(`no_default_msa', `dnl')dnl FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
You need to set up saslauthd to support it. I use saslauthd to query ldap. My systems also use cyrus imapd as the MDA, although you could use other MDAs.
Remember to set up SSL (confCACERT_PATH, confCACERT, confSERVER_CERT, confSERVER_KEY).
Devin
-
Alexander Dalloz -
Devin Reade -
Max Pyziur