[CentOS] sendmail - smtp security/authentication & port 587 issues

Devin Reade gdr at gno.org
Sun Jun 26 16:37:14 UTC 2011


Max Pyziur <pyz at brama.com> wrote:

> Are there any views in this CentOs user community on [using port 587]?

Yes.  Not only is enabling 'submission' a good idea, but you should also 
enable 'smtps' (which is different from smtp+tls):

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

> To authenticate, users would first have to POP their mail.
> 
> Is there a better way of doing this?

As others have said, yes.  Details:

Have the users do authentication over smtp+tls, submission, or smtps
(you should enable all three and let the users pick as the optimal
solution varies with email client).

To do this safely, you *must* ensure that you only permit someone
to authenticate if they're on an encrypted session.

define(`confAUTH_OPTIONS', `A,p,y')dnl
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl

You need to set up saslauthd to support it.  I use saslauthd to query ldap.
My systems also use cyrus imapd as the MDA, although you could use
other MDAs.

Remember to set up SSL (confCACERT_PATH, confCACERT, confSERVER_CERT,
confSERVER_KEY).

Devin




More information about the CentOS mailing list