Topic: SMTP for roaming users

[swamy]

Hi

We have lot of people who travel a lot and they will be keep going to different different places and it is difficult for them to locate the SMTP address for the ISP for the hotel where they r staying ..and it is more painful also to ask each hotel person for the SMTP.

Can any one suggest me how to make this SMTP available for the outside users. Can we have any password protection to use SMTP.

Kindly respond ASAP.

reg
swamy

[swamy]

Sorry i forgot to mention the version...i am using 4.1.1 E-smith.

[Des Dougan]

This is what Webmail is for. It works well out of the box.


Des Dougan

[swamy]

If the speed is less and there are attachements then u may not able to use the webmail properly na...

[Bas]

set the number of PPTP clients to the number of roaming users you have and let those users make a VPN connection to your server. That way they can use the smtp-services (and other services like file-sharing) on your box in a secure manner.
check http://www.e-smith.org/docs/manual/4.1/admin-remoteaccess.html (9.2.2) for more info on PPTP on e-smith

[devin sain]

If you going to use pptp you need to upgrade to 4.1.2 for for 4.1.1 has securty problems with pptp

[Shelby Moore]

There has to be a better way for this to be done then PPTP or Webmail.  (Now don't kill me here, but I am going to mention Microsoft.)  In exchange you simply set the SMTP server to ask for Authentication.  It then authenticates off the same username and password as the POP3 Server.

Both Outlook and Outlook Express take advantage of this feature by configuring them that the Outgoing mail server requires Authentication, you simiply check the checkbox.  This method has worked well for me, and I would love to use it under e-Smith.  Is this possible under e-smith?

Shelby L Moore

[swamy]

Yes I agree with Shelby Moore.

It will be a nice idea to ask for a password beofre sending the mail out..in this case we can use SMTP from any part of the world. Can any one suggest how to enable this password option.

reg

[Graeme Robinson]

sending SMTP passwords publicly is bad for the same reason POP3 passwords are a bad idea on public networks - they are unencrypted can be sniffed and can compromise the security of your network.

PPTP is really your wisest option here - what it will do is provide for secure communications with your e-smith servers services including SMTP.

When you say "there must be a better way" what you are really asking is "is there a easier way" - of course there is always an easier way but it is usually risky, insecure, & therefore the wrong way.

[Shelby Moore]

I have never tried this under Exchange but I do believe you can setup the server to require a secure connection (SSL).  Then in Outlook Express you would just click the need check boxes under the Advanced settings.

Maybe I am asking for an "easier" way, but isn't that what the Linux comminity is all about?  Helping each other find better solutions to our needs and problems and having the ability to create these solutions.

So the question still stands.  Is there another way to accomplish this other then those discussed so far?

Shelby Moore

[Chris Hardy]

There is a Qmail SSL Authentication  patch is available from http://www.qmail.org .. here are a few links that I found http://www.nimh.org/hacks/qmail-smtpd.c and http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch.  Now e-smith uses obtuse-smtp if I remember (this really should be on the devinfo list).  I'm not sure how tightly the smtp daemon is tied into the e-smith distribution, but it is convievable to grab qmail, patch it, make a rpm and distribute it. If I only had the time!

[Charlie Brady]

Chris Hardy wrote:
>
> There is a Qmail SSL Authentication  patch is available from
> http://www.qmail.org ..
...
>  I'm not sure how tightly the
> smtp daemon is tied into the e-smith distribution, but it is
> convievable to grab qmail, patch it, make a rpm and
> distribute it.

Not so, the qmail license doesn't allow the distribution of modified versions.

Charlie

[Chris Hardy]

Charlie Brady wrote:

> Not so, the qmail license doesn't allow the distribution of
> modified versions.
>
> Charlie

But as I understand the License, I could create a patched qmail src rpm and give people instructions on how to compile that.. Tho it is kind of mute considering that E-Smith doesn't have the full run of development tools that a standard RedHat Distro does  (Don't get me wrong, I love E-smith and evangelize it wherever I go).  But that still doesn't awnser the question, would replacing  obtuse-smtp gum up the works?  is there a link to where I can find out more info about obtuse-smtp?

[Charlie Brady]

Chris Hardy wrote:

> > Not so, the qmail license doesn't allow the distribution of
> > modified versions.
>
> But as I understand the License, I could create a patched
> qmail src rpm and give people instructions on how to compile
> that..

Correct.

> is there a link to where I can find out more
> info about obtuse-smtp?

http://www.obtuse.com/.

Charlie

[Hasan Muhammad]

If the e-smith distributed version of qmail is not already SSL enabled, then aren't users already passing unencrypted passwords to retrieve email via POP or IMAP?

If unencrypted passwords are OK to authenticate users for retrieving email, why aren't they OK for authencating users to sent email?

BTW: I think using an SSL connection to authenticate SMTP users is an excellent solution to this dilemma.

P.S.
There have been many threads from users (including mysel) requesting a solution for roaming users to use the SMTP service.  The responses so far remind me of an old folk story... it goes something like this:

Bob: "Tom, may I please borrow your sledgehammer"?  

Tom: "I don't think so, I need to make sauerkraut tonight".

Bob: "Sauerkraut?  What does making sauerkraut have to do with me borrowing your sledgehammer"?

Tom: "Nothing... but if I don't want to lend you my sledgehammer, one excuse is just as good as another".

[Graeme Robinson]

Hasan wrote:
>If the e-smith distributed version of qmail is not already SSL enabled, then aren't >users already passing unencrypted passwords to retrieve email via POP or >IMAP?

but you are only popping/imapping behind your e-smith firewall so these exchanges are already secure.

>If unencrypted passwords are OK to authenticate users for retrieving email, why >aren't they OK for authencating users to sent email?

No, not OK.  They are not secure for remote collection of mail. You can choose to enable remote POP mail but this will pass clear text passwords across the public internet.  I don't recommend it.

If you are outside the firewall - then you can securely check & send your mail via the webmail interface or by creating a PPTP connection.

I'm undecided about the worth of SSL over SMTP, but while two alternative solutions already exist for your problem (ie sending mail  via e-smith over a remote connection) I doubt you'll persuade E-smith to invest energy into it.  It's an issue that would more properly be addressed by the developers of qmail or their equivalent.

[swamy]

Hi

When i tried to test the PPTP to use SMTP on my E-smith 4.1.1 i am getting
Error 5: Access denied. I configured PPTP on winNT4.0 workstation and this is part of the lan.

I did installation of PPTP on win98 and tried to use the dialup account for the internet and want to use SMTP with the help of PPTP. But i am getting error 691: pls check the password. I tried with different users and the error is still there.

Pls help me ..all my roaming users want to send and receive their mails from out side the LAN.

reg

[Scott Smith]

Graeme Robinson wrote:
>
> but you are only popping/imapping behind your e-smith
> firewall so these exchanges are already secure.

You may be behind a firewall, but as a high percentage of attacks originate from within it is still insecure. And, if you are collecting mail from POP3 accounts outside the firewall, then you are still passing passwords in the clear over the public Internet.

> >If unencrypted passwords are OK to authenticate users for
> retrieving email, why >aren't they OK for authencating users
> to sent email?
>
> No, not OK.  They are not secure for remote collection of
> mail. You can choose to enable remote POP mail but this will
> pass clear text passwords across the public internet.  I
> don't recommend it.

You're thinking of picking up mail from e-smith from a connection outside the firewall. It is probably just as if not more common for the reverse to occur, as described above. Considering that most users use a single password for everything, having a password from one source is probably the key to kingdom.

> If you are outside the firewall - then you can securely check
> & send your mail via the webmail interface or by creating a
> PPTP connection.

Yes, but it is a question of options. Authenticated, secure SMTP should be an option. It is a valid concept, just as HTTP/S is a valid (and useful) concept. Whether it is available or not, or is currently practical? Well, that is another question

[Shelby Moore]

In looking for a solutions to this problem I came across this site.  This sounds like it might work.  Anybody see why not?

I am going to try and install this weekend and see.

http://www.davideous.com/smtp-poplock/

Shelby Moore

[Charlie Brady]

Shelby Moore wrote:
 
> In looking for a solutions to this problem I came across this
> site.  This sounds like it might work.  Anybody see why not?
>
> I am going to try and install this weekend and see.
>
> http://www.davideous.com/smtp-poplock/

You'd need to make fairly extensive modifications, as e-smith 4.1 and later uses obtuse-smtpd as the SMTP daemon, not qmail-smtpd.

My recommendation is for roaming users to use the local ISP's SMTP daemon when they travel (when on vacation, we drop postcards into the local postbox, we don't send them home to be reposted there), but if that is unsatisfactory, use PPTP VPN or webmail.

We will continue to investigate the possibility of supporting encrypted and authenticated SMTP, but it isn't available "off the shelf" and won't be available in the near future. We'd certainly be happy to have a contributed solution.

Regards

Charlie

[Graeme Robinson]

Scott wrote:
>You may be behind a firewall, but as a high percentage of attacks originate from >within it is still insecure.

Then you have physical security problem and should call in the police, not a network security problem - to repeat, the e-smith server will not route packets to or from it's internal range so it's not possible for someone outside your network to 'sniff' internal addresses to pick up these internally routed clear text passwords.

>And, if you are collecting mail from POP3 accounts
>outside the firewall, then
>you are still passing passwords in the clear over the
>public Internet.

To repeat, you shouldn't enable remote collection by pop.  It's possible to do so in the manager but disabled by default in e-smith for the reason that it's insecure.

[Hasan Muhammad]

> In looking for a solutions to this problem I came across this
> site. This sounds like it might work. Anybody see why not?
>
> I am going to try and install this weekend and see.
>
> http://www.davideous.com/smtp-poplock/

You'd need to make fairly extensive modifications, as e-smith 4.1 and later uses obtuse-smtpd as the SMTP daemon, not qmail-smtpd.

-----------------------------------------------------------

A couple of weeks ago I wrote the author of smtp-poplock about its use with obtuse-smtpd; he said it wouldn't work as currently packaged.

Hasan

[Chris Hardy]

Graeme Robinson wrote:
>
> Scott wrote:
> >You may be behind a firewall, but as a high percentage of
> attacks originate from >within it is still insecure.
>
> Then you have physical security problem and should call in
> the police, not a network security problem - to repeat, the
> e-smith server will not route packets to or from it's
> internal range so it's not possible for someone outside your
> network to 'sniff' internal addresses to pick up these
> internally routed clear text passwords.

I believe Scott's orignal intent was to point out that a majority of attacks happen from within the network, it could be a disatisfied employee, some one playing around on the inside, someone who wants to read his bosses mail.  All it would take is for someone to set up mailsnarf, urlsnarf and dsnarf and you'd most likly they'd have access to their bosses mail, surfing habits and likley the root password to an admin machines. (most people go with just one password).  He also makes a good point.. Why do we Encrypt the E-smith manager page access, but allow other passwords to flow freely on the wire?

[Scott Smith]

Graeme Robinson wrote:
>
> Scott wrote:
> >You may be behind a firewall, but as a high percentage of
> attacks originate from >within it is still insecure.
>
> Then you have physical security problem and should call in
> the police, not a network security problem - to repeat, the
> e-smith server will not route packets to or from it's
> internal range so it's not possible for someone outside your
> network to 'sniff' internal addresses to pick up these
> internally routed clear text passwords.

I think you missed my point. A large percentage of network attacks originate behind the firewall. Physical security is only part of the problem, and it is true that if you haven't phsically secured you servers then you are open to a plethora of breaches. However, even a physically secure server is open to non-physical attack from the local network. This is such a problem that some companies go so far as to place a firewall between their workstations and their servers!

So, my point was that passing clear text passwords is unsafe, even if it is done on the local network with a firewall protecting you from any external networks.

Here's an example for you. A company encouraged it's employees to use PWS to create personal home pages. These were to be "get to know me" sites, project information sites, upcoming events, etc. All very innocuous and useful sounding things. One person hit upon the idea of creating a "project info" site that required users to register. So he created the form, asked for username and password, and lo and behold was granted instant access to a large number of user's network and email accounts. Including some of the top executives of the company.

Some may argue that allowing employees to create sites is a bad idea. Others will point out that it is a bad idea to use the same username/password for all accounts. However, the reality is that these things happen. Some even argue that because of such security failures, your system is at far greater risk from internal attack than from anything else.

> >And, if you are collecting mail from POP3 accounts
> >outside the firewall, then
> >you are still passing passwords in the clear over the
> >public Internet.
>
> To repeat, you shouldn't enable remote collection by pop.
> It's possible to do so in the manager but disabled by default
> in e-smith for the reason that it's insecure.

Again, not my point. I was referring to clients on the local network and behind the firewall, that are collecting mail from POP3 accounts that reside outside the firewall.  If you have a Yahoo! account and are getting you messages via POP3 using Email Client X, then your account info is passing across the public Internet in clear text. This has nothing to do with allowing users to collect their mail from e-smith via POP3. Ditto if you are using FTP to upload your personal web pages to some free server. And so on.

As I pointed out before, as most users do not maintain secure usernames and passwords and typically use the same ones for all accounts, then capturing any account info, whether gleaned from the local network or from the public Internet, whether due to POP3 mail collection or SMTP authentication or logging into a web site, will typically reveal the keys to the kingdom -- or at least that user's corner of the kingdom.

[Graeme Robinson]

Scott wrote:

>Some may argue that allowing employees to create sites is a bad idea. Others >will point out that it is a bad idea to use the same username/password for all >accounts. However, the reality is that these things happen. Some even argue >that because of such security failures, your system is at far greater risk from >internal attack than from anything else.

I don't doubt it Scott.  I don't have an answer to the vulnerabilities you describe except to say that security reviews should be performed regularly and with particular scrutiny to the provision of new internal services like user web creation schemes to nip such vulnerabilities in the bud.

However there are things you can do to circumvent the risk posed by the passing of clear passwords across the public network (and across the private network) that are likely to be the same user/pw combinations for real local server accounts.  In particular setting a password policy requiring regular changes will lead to passwords on the local net and other unrelated accounts moving out of sync.

[Charlie Brady]

Scott Smith wrote:

> Yes, but it is a question of options. Authenticated, secure
> SMTP should be an option. It is a valid concept, just as
> HTTP/S is a valid (and useful) concept. Whether it is
> available or not, or is currently practical? Well, that is
> another question

It is currently not practical. The SMTP daemon (smtpd from www.obtuse.com) is running in a very sterile chroot jail and (deliberately) does not have access to the password database. This makes it rather difficult to authenticate users. There's also the issue that there is no protocol support for Authenticated SMTP in smptd at the moment, and as far as I know, no-one is working on adding it.

Regards

Charlie

[Tim Larson]

This was done with e-smith 4.1.2.  It might work with other versions - I haven't tried.  Please review and send comments, suggessions, and improvements to above email address (after removing "dontspamme" part).

    It is in the interests of certain parties to secure email communications.  What I explain/propose here is a method to provide transfer of email using SMTP/POP3/IMAP over SSL.  The email is only secure between the mail server and the user accessing that email server.

For the HOWTO, goto
http://kepler.covenant.edu/~talarson/SSL.html

Questions that I still need help with:

1. Am I setting up the hosts.allow file properly? I'm not too familiar with hosts.allow, and I don't know if I might be opening up too many holes.

2. If anyone knows how to get Eudora to work with this setup, please let me know (Do I just have to get a signature from a CA?)

3. Can anyone tell me when my sending mail is secure?  When I'm using IMAPS, does mail I send go over the IMAPS connection, or via SMTP?  

4. Can anyone get SMTPS working with a mail client (like Eudora, Pegasus, Netscape, or Outlook) without using stunnel or the like on the client machine?

Comments welcome!

[Bruce]

I would have thought that there would be an e-Smith 4.1.3 by now with this included.  Given the secure nature of e-Smith Linux, one would think that this capability should be wrapped into a standard feature and made available to everyone out of the box (or off the CD, from the download, ????).

Someone should look at the user contributions that make sense, check them out, add them to the e-smith install/configure interface, and take it away!!!!