Hi!
Im using postfix+postfixadmin+mysql+courier-imap
i just implemented pop-before-smtp[1], my problem is after recieving the mails i connect to the server using telnet and try to send spam using the mail server it did send it didn't ask for authentication anymore. i'm not sure how this pop-before-smtp really works but i was thinking how should i secure the server in this kind of attacks.
[1]http://www.stahl.bau.tu- bs.de/~hildeb/postfix/postfix_pop-before-smtp_en.shtmlhttp://bs.de/~hildeb/postfix/postfix_pop-before-smtp_en.shtml
On Mon, Aug 29, 2005 at 11:34:24PM +0800, Mark Quitoriano enlightened us:
Im using postfix+postfixadmin+mysql+courier-imap
i just implemented pop-before-smtp[1], my problem is after recieving the mails i connect to the server using telnet and try to send spam using the mail server it did send it didn't ask for authentication anymore. i'm not sure how this pop-before-smtp really works but i was thinking how should i secure the server in this kind of attacks.
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Matt
hmm... ok i'll try that then
On 8/29/05, Matt Hyclak hyclak@math.ohiou.edu wrote:
On Mon, Aug 29, 2005 at 11:34:24PM +0800, Mark Quitoriano enlightened us:
Im using postfix+postfixadmin+mysql+courier-imap
i just implemented pop-before-smtp[1], my problem is after recieving the mails i connect to the server using telnet and try to send spam using
the
mail server it did send it didn't ask for authentication anymore. i'm
not
sure how this pop-before-smtp really works but i was thinking how should
i
secure the server in this kind of attacks.
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Matt
-- Matt Hyclak Department of Mathematics Department of Social Work Ohio University (740) 593-1263 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, Aug 29, 2005 at 11:45:29AM -0400, Matt Hyclak wrote:
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Alan Hodgson wrote:
On Mon, Aug 29, 2005 at 11:45:29AM -0400, Matt Hyclak wrote:
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Agreed. However, after the first initial headache, it's a joy to have it working properly.
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
Too me like five minutest to decipher your email there, Mark. Feel free to use some commas and periods on occasion ;)
Thanks -dant
in the spec file you just need to set the sasl to 1 right? anything should i do in the spec file?
On 8/30/05, dan.trainor dan.trainor@gmail.com wrote:
Alan Hodgson wrote:
On Mon, Aug 29, 2005 at 11:45:29AM -0400, Matt Hyclak wrote:
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Agreed. However, after the first initial headache, it's a joy to have it working properly.
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
Too me like five minutest to decipher your email there, Mark. Feel free to use some commas and periods on occasion ;)
Thanks -dant _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mark Quitoriano wrote:
in the spec file you just need to set the sasl to 1 right? anything should i do in the spec file?
On 8/30/05, *dan.trainor* < dan.trainor@gmail.com mailto:dan.trainor@gmail.com> wrote:
Alan Hodgson wrote: > On Mon, Aug 29, 2005 at 11:45:29AM -0400, Matt Hyclak wrote: > >>Generally speaking, pop-before-smtp was (and is) a big hack. The right >>answer is to set up SMTP-Auth. >> > > > Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the > joy that is SASL. It does work well once you get it setup, but man it's > a pain. > Agreed. However, after the first initial headache, it's a joy to have it working properly. Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup. Too me like five minutest to decipher your email there, Mark. Feel free to use some commas and periods on occasion ;) Thanks -dant _______________________________________________ CentOS mailing list CentOS@centos.org <mailto:CentOS@centos.org> http://lists.centos.org/mailman/listinfo/centos
Mark -
You're going to have to mow over the .spec file. There are certain options that you'll need to consider, such as the version of SASL, among other things. I am not able to pull the SRPM at this moment, so I can't give you exact directions here.
YOu can find instructions on one of several HOW-TOs on the subject.
Thanks -dant
ok i'll look for that
thanks!
On 8/30/05, dan.trainor dan.trainor@gmail.com wrote:
Mark Quitoriano wrote:
in the spec file you just need to set the sasl to 1 right? anything should i do in the spec file?
On 8/30/05, *dan.trainor* < dan.trainor@gmail.com mailto:dan.trainor@gmail.com> wrote:
Alan Hodgson wrote:
On Mon, Aug 29, 2005 at 11:45:29AM -0400, Matt Hyclak wrote:
Generally speaking, pop-before-smtp was (and is) a big hack. The right answer is to set up SMTP-Auth.
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due
to the
joy that is SASL. It does work well once you get it setup, but
man it's
a pain.
Agreed. However, after the first initial headache, it's a joy to have it working properly.
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
Too me like five minutest to decipher your email there, Mark. Feel free to use some commas and periods on occasion ;)
Thanks -dant _______________________________________________ CentOS mailing list CentOS@centos.org mailto:CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Mark -
You're going to have to mow over the .spec file. There are certain options that you'll need to consider, such as the version of SASL, among other things. I am not able to pull the SRPM at this moment, so I can't give you exact directions here.
YOu can find instructions on one of several HOW-TOs on the subject.
Thanks -dant _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Am Mo, den 29.08.2005 schrieb dan.trainor um 18:13:
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
-dant
For what do you have the Postfix shipped by CentOS be recompiled? Not for getting SASL support.
Alexander
Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 18:13:
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
-dant
For what do you have the Postfix shipped by CentOS be recompiled? Not for getting SASL support.
Alexander
...what?
Thanks -dant
Am Mo, den 29.08.2005 schrieb dan.trainor um 19:29:
Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 18:13:
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
-dant
For what do you have the Postfix shipped by CentOS be recompiled? Not for getting SASL support.
Alexander
...what?
-dant
Postfix .spec CentOS 3.5 (excerpt): %define LDAP 2 %define SASL 1 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Postfix .spec CentOS4.1 (excerpt): %define LDAP 2 %define SASL 2 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Any evidence that Postfix on CentOS is not compiled against SASL?
I say: you don't have to recompile Postfix to get Postfix on CentOS running with SMTP AUTH (by SASL support).
Alexander
On Mon, 2005-08-29 at 19:53 +0200, Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 19:29:
Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 18:13:
Remember that you're going to need to compile Postfix with SASL support. The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM for your particular setup.
-dant
For what do you have the Postfix shipped by CentOS be recompiled? Not for getting SASL support.
Alexander
...what?
-dant
Postfix .spec CentOS 3.5 (excerpt): %define LDAP 2 %define SASL 1 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Postfix .spec CentOS4.1 (excerpt): %define LDAP 2 %define SASL 2 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Any evidence that Postfix on CentOS is not compiled against SASL?
I say: you don't have to recompile Postfix to get Postfix on CentOS running with SMTP AUTH (by SASL support).
Alexander
I was going to post the same thing. SASL works with CentOS's postfix.
oh! yeah! tnx!
On 8/30/05, Johnny Hughes mailing-lists@hughesjr.com wrote:
On Mon, 2005-08-29 at 19:53 +0200, Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 19:29:
Alexander Dalloz wrote:
Am Mo, den 29.08.2005 schrieb dan.trainor um 18:13:
Remember that you're going to need to compile Postfix with SASL
support.
The easiest way I've found to build my nice install is to grab the Postfix SRPM, edit the .spec appropriately, and then rebuild the RPM
for
your particular setup.
-dant
For what do you have the Postfix shipped by CentOS be recompiled?
Not
for getting SASL support.
Alexander
...what?
-dant
Postfix .spec CentOS 3.5 (excerpt): %define LDAP 2 %define SASL 1 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Postfix .spec CentOS4.1 (excerpt): %define LDAP 2 %define SASL 2 %if %{LDAP} <= 1 && %{SASL} >= 2 %undefine SASL %define SASL 1 %endif %if %{SASL} BuildRequires: cyrus-sasl >= 2.1.10, cyrus-sasl-devel >= 2.1.10 Requires: cyrus-sasl >= 2.1.10 %endif %if %{SASL} %define sasl_v1_lib_dir %{_libdir}/sasl %define sasl_v2_lib_dir %{_libdir}/sasl2 CCARGS="${CCARGS} -DUSE_SASL_AUTH" %if %{SASL} <= 1 %define sasl_lib_dir %{sasl_v1_lib_dir} AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl" %else %define sasl_lib_dir %{sasl_v2_lib_dir} CCARGS="${CCARGS} -I/usr/include/sasl" AUXLIBS="${AUXLIBS} -L%{sasl_lib_dir} -lsasl2" %endif %endif
Any evidence that Postfix on CentOS is not compiled against SASL?
I say: you don't have to recompile Postfix to get Postfix on CentOS running with SMTP AUTH (by SASL support).
Alexander
I was going to post the same thing. SASL works with CentOS's postfix.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQBDE5bOTKkMgmrBY7MRAsjwAKCKsR15z1UrbvQ94vnplI5+W81oLQCghxn6 2CgYXbU5lbP4GymBCL3xg+o= =z/S1 -----END PGP SIGNATURE-----
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Alan Hodgson ahodgson@simkin.ca wrote:
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Actually it's not. It's a proper way to do it.
Most people think SASL is a PITA. But most of the pain is standard procedure for public key authentication.
On Mon, Aug 29, 2005 at 09:50:08AM -0700, Bryan J. Smith wrote:
Alan Hodgson ahodgson@simkin.ca wrote:
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Actually it's not. It's a proper way to do it.
Most people think SASL is a PITA. But most of the pain is standard procedure for public key authentication.
Multiple versions, obtuse interaction with PAM, permissions issues, multiple ways of using SASL (authdaemon or not) all make it much more difficult than it needs to be, IMO. And I've never set it up with the advanced methods, only LOGIN and PLAIN, which I imagine most people would want it to work with to be compatible with their POP/IMAP passwords (over SSL only, of course).
Hi
Try this howto, its worked for me lots of times.
http://genco.gen.tc/postfix_virtual.php
Thanks
On 29/08/05, Alan Hodgson ahodgson@simkin.ca wrote:
On Mon, Aug 29, 2005 at 09:50:08AM -0700, Bryan J. Smith wrote:
Alan Hodgson ahodgson@simkin.ca wrote:
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Actually it's not. It's a proper way to do it.
Most people think SASL is a PITA. But most of the pain is standard procedure for public key authentication.
Multiple versions, obtuse interaction with PAM, permissions issues, multiple ways of using SASL (authdaemon or not) all make it much more difficult than it needs to be, IMO. And I've never set it up with the advanced methods, only LOGIN and PLAIN, which I imagine most people would want it to work with to be compatible with their POP/IMAP passwords (over SSL only, of course).
-- "The only difference between political parties is which group of their friends will be receiving your money." - me
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Andrew Turnbull wrote:
Hi
Try this howto, its worked for me lots of times.
http://genco.gen.tc/postfix_virtual.php
Thanks
On 29/08/05, Alan Hodgson ahodgson@simkin.ca wrote:
On Mon, Aug 29, 2005 at 09:50:08AM -0700, Bryan J. Smith wrote:
Alan Hodgson ahodgson@simkin.ca wrote:
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Actually it's not. It's a proper way to do it.
Most people think SASL is a PITA. But most of the pain is standard procedure for public key authentication.
Multiple versions, obtuse interaction with PAM, permissions issues, multiple ways of using SASL (authdaemon or not) all make it much more difficult than it needs to be, IMO. And I've never set it up with the advanced methods, only LOGIN and PLAIN, which I imagine most people would want it to work with to be compatible with their POP/IMAP passwords (over SSL only, of course).
Yes, I've used this how-to many times, with a bit of modification to work with Postfixadmin.
Maybe I'll write some docs on it soon here on how to adopt these install procedures, while installing Postfixadmin. That'd be kinda neat. The only thing that you need is some SQL hackery, but it does work quite well.
Thanks -dant
On Mon, 2005-08-29 at 11:50, Bryan J. Smith wrote:
Alan Hodgson ahodgson@simkin.ca wrote:
Sadly, SMTP auth on Postfix _feels_ like an even bigger hack, due to the joy that is SASL. It does work well once you get it setup, but man it's a pain.
Actually it's not. It's a proper way to do it.
Most people think SASL is a PITA. But most of the pain is standard procedure for public key authentication.
The pain part has to do with having to recompile postfix to have the feature. I think it is already in sendmail as shipped - you just have to rebuild the sendmail.cf and run saslauthd. But there is really nothing wrong with smtp login or plain authentication as long as it is done over ssl.
On Mon, Aug 29, 2005 at 11:34:24PM +0800, Mark Quitoriano wrote:
i just implemented pop-before-smtp[1], my problem is after recieving the mails i connect to the server using telnet and try to send spam using the mail server it did send it didn't ask for authentication anymore. i'm not sure how this pop-before-smtp really works but i was thinking how should i secure the server in this kind of attacks.
while others are correct that pop-before-smtp is a hack, it's not necessarily the wrong solution.
it's not entirely clear what your question is - but here's how it's supposed to work:
if you haven't popped from an IP address, you can't send smtp from that address (unless postfix is configured to allow it via some other mechanism).
once you pop from an IP address, it's added to a list of permitted IPs that can send SMTP. There is a timeout attached, after which it is removed from the list. I think the perl pop-before-smtp program defaults to an hour - i changed it to 8 hours or maybe a day after too many (l)user complaints.
danno
-
Alan Hodgson -
Alexander Dalloz -
Andrew Turnbull -
Bryan J. Smith -
Dan Pritts -
dan.trainor -
Johnny Hughes -
Les Mikesell -
Mark Quitoriano -
Matt Hyclak