[CentOS] sendmail - smtp security/authentication & port 587 issues

Sat Jun 25 22:49:24 UTC 2011
Max Pyziur <pyz at brama.com>

On Sun, 26 Jun 2011, Alexander Dalloz wrote:

> Am 25.06.2011 23:50, schrieb Max Pyziur:
>>
>> Greetings,
>>
>> I'm refining a CentOs configuration installation, now just over one month
>> old running on a colocated production server. Previously, we ran a version
>> of Fedora for over seven years.
>>
>> Specifically, I'm reviewing our sendmail configuration, both with respect
>> to authentication and port usage.
>>
>> Previously, we had the following line in the sendmail.mc line:
>> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
>
> Though defined, you seem not to have made use of it; no SMTP AUTH in
> your description of the previous setup.
>
>> To authenticate, users would first have to POP their mail.
>>
>> A klunky script would scan appropriate log files and copy relevant IP
>> addresses to the /etc/mail/access file that would be regenerated every
>> 5 minutes via cron.
>>
>> Once the IP address was in the /etc/mail/access.db a user could be
>> authenticated and be allowed to send email using the machine as smtp.
>
> That sounds as a poor version of POP-before-SMTP. Which mechanism
> deletes the IP from the access_db?

It is a POP-before-SMTP, poor or otherwise.

The IPs in access_db are taken from the /var/log/maillog file. They 
effectively get "deleted" by way of the logrotate function (weekly and 
monthly).

IPs in the /etc/mail/access.db are based on the current /var/log/maillog 
file. Once the /var/log/maillog file is rotated (4am Sunday), the added 
IPs disappear.

> By no means SMTP AUTH was used, just plain relay permission based on the
> access_db.
>
>> Is there a better way of doing this?
>
> Definitely.

I'm open to suggestions. Currently, I'm running on a default 
CentOs-Sendmail configuration.


>> Port 587 issues:
>> Verizon DSL filters out requests on port 25 to smtp servers not belonging
>> to verizon.net. An alternative is to use port 587 for smtp purposes.
>>
>> Are there any views in this CentOs user community on this?
>
> Yes, configure SMTP AUTH and offer the submission service to the users.
> Everything is prepared and documented within the sendmail.mc CentOS
> ships with. You just have to think about which backend SASL shall use to
> verify auth credentials.
>
>> Much thanks.
>>
>> Max Pyziur
>> pyz at brama.com

[recycle]


> Alexander
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>