[CentOS] sendmail - smtp security/authentication & port 587 issues
Devin Reade
gdr at gno.org
Sun Jun 26 16:37:14 UTC 2011
Max Pyziur <pyz at brama.com> wrote:
> Are there any views in this CentOs user community on [using port 587]?
Yes. Not only is enabling 'submission' a good idea, but you should also
enable 'smtps' (which is different from smtp+tls):
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> To authenticate, users would first have to POP their mail.
>
> Is there a better way of doing this?
As others have said, yes. Details:
Have the users do authentication over smtp+tls, submission, or smtps
(you should enable all three and let the users pick as the optimal
solution varies with email client).
To do this safely, you *must* ensure that you only permit someone
to authenticate if they're on an encrypted session.
define(`confAUTH_OPTIONS', `A,p,y')dnl
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
You need to set up saslauthd to support it. I use saslauthd to query ldap.
My systems also use cyrus imapd as the MDA, although you could use
other MDAs.
Remember to set up SSL (confCACERT_PATH, confCACERT, confSERVER_CERT,
confSERVER_KEY).
Devin
More information about the CentOS
mailing list