Topic: SMTP for roaming users

[Graeme Robinson]

Hasan wrote:
>If the e-smith distributed version of qmail is not already SSL enabled, then aren't >users already passing unencrypted passwords to retrieve email via POP or >IMAP?

but you are only popping/imapping behind your e-smith firewall so these exchanges are already secure.

>If unencrypted passwords are OK to authenticate users for retrieving email, why >aren't they OK for authencating users to sent email?

No, not OK.  They are not secure for remote collection of mail. You can choose to enable remote POP mail but this will pass clear text passwords across the public internet.  I don't recommend it.

If you are outside the firewall - then you can securely check & send your mail via the webmail interface or by creating a PPTP connection.

I'm undecided about the worth of SSL over SMTP, but while two alternative solutions already exist for your problem (ie sending mail  via e-smith over a remote connection) I doubt you'll persuade E-smith to invest energy into it.  It's an issue that would more properly be addressed by the developers of qmail or their equivalent.

[swamy]

Hi

When i tried to test the PPTP to use SMTP on my E-smith 4.1.1 i am getting
Error 5: Access denied. I configured PPTP on winNT4.0 workstation and this is part of the lan.

I did installation of PPTP on win98 and tried to use the dialup account for the internet and want to use SMTP with the help of PPTP. But i am getting error 691: pls check the password. I tried with different users and the error is still there.

Pls help me ..all my roaming users want to send and receive their mails from out side the LAN.

reg

[Scott Smith]

Graeme Robinson wrote:
>
> but you are only popping/imapping behind your e-smith
> firewall so these exchanges are already secure.

You may be behind a firewall, but as a high percentage of attacks originate from within it is still insecure. And, if you are collecting mail from POP3 accounts outside the firewall, then you are still passing passwords in the clear over the public Internet.

> >If unencrypted passwords are OK to authenticate users for
> retrieving email, why >aren't they OK for authencating users
> to sent email?
>
> No, not OK.  They are not secure for remote collection of
> mail. You can choose to enable remote POP mail but this will
> pass clear text passwords across the public internet.  I
> don't recommend it.

You're thinking of picking up mail from e-smith from a connection outside the firewall. It is probably just as if not more common for the reverse to occur, as described above. Considering that most users use a single password for everything, having a password from one source is probably the key to kingdom.

> If you are outside the firewall - then you can securely check
> & send your mail via the webmail interface or by creating a
> PPTP connection.

Yes, but it is a question of options. Authenticated, secure SMTP should be an option. It is a valid concept, just as HTTP/S is a valid (and useful) concept. Whether it is available or not, or is currently practical? Well, that is another question

[Shelby Moore]

In looking for a solutions to this problem I came across this site.  This sounds like it might work.  Anybody see why not?

I am going to try and install this weekend and see.

http://www.davideous.com/smtp-poplock/

Shelby Moore

[Charlie Brady]

Shelby Moore wrote:
 
> In looking for a solutions to this problem I came across this
> site.  This sounds like it might work.  Anybody see why not?
>
> I am going to try and install this weekend and see.
>
> http://www.davideous.com/smtp-poplock/

You'd need to make fairly extensive modifications, as e-smith 4.1 and later uses obtuse-smtpd as the SMTP daemon, not qmail-smtpd.

My recommendation is for roaming users to use the local ISP's SMTP daemon when they travel (when on vacation, we drop postcards into the local postbox, we don't send them home to be reposted there), but if that is unsatisfactory, use PPTP VPN or webmail.

We will continue to investigate the possibility of supporting encrypted and authenticated SMTP, but it isn't available "off the shelf" and won't be available in the near future. We'd certainly be happy to have a contributed solution.

Regards

Charlie

[Graeme Robinson]

Scott wrote:
>You may be behind a firewall, but as a high percentage of attacks originate from >within it is still insecure.

Then you have physical security problem and should call in the police, not a network security problem - to repeat, the e-smith server will not route packets to or from it's internal range so it's not possible for someone outside your network to 'sniff' internal addresses to pick up these internally routed clear text passwords.

>And, if you are collecting mail from POP3 accounts
>outside the firewall, then
>you are still passing passwords in the clear over the
>public Internet.

To repeat, you shouldn't enable remote collection by pop.  It's possible to do so in the manager but disabled by default in e-smith for the reason that it's insecure.

[Hasan Muhammad]

> In looking for a solutions to this problem I came across this
> site. This sounds like it might work. Anybody see why not?
>
> I am going to try and install this weekend and see.
>
> http://www.davideous.com/smtp-poplock/

You'd need to make fairly extensive modifications, as e-smith 4.1 and later uses obtuse-smtpd as the SMTP daemon, not qmail-smtpd.

-----------------------------------------------------------

A couple of weeks ago I wrote the author of smtp-poplock about its use with obtuse-smtpd; he said it wouldn't work as currently packaged.

Hasan

[Chris Hardy]

Graeme Robinson wrote:
>
> Scott wrote:
> >You may be behind a firewall, but as a high percentage of
> attacks originate from >within it is still insecure.
>
> Then you have physical security problem and should call in
> the police, not a network security problem - to repeat, the
> e-smith server will not route packets to or from it's
> internal range so it's not possible for someone outside your
> network to 'sniff' internal addresses to pick up these
> internally routed clear text passwords.

I believe Scott's orignal intent was to point out that a majority of attacks happen from within the network, it could be a disatisfied employee, some one playing around on the inside, someone who wants to read his bosses mail.  All it would take is for someone to set up mailsnarf, urlsnarf and dsnarf and you'd most likly they'd have access to their bosses mail, surfing habits and likley the root password to an admin machines. (most people go with just one password).  He also makes a good point.. Why do we Encrypt the E-smith manager page access, but allow other passwords to flow freely on the wire?

[Scott Smith]

Graeme Robinson wrote:
>
> Scott wrote:
> >You may be behind a firewall, but as a high percentage of
> attacks originate from >within it is still insecure.
>
> Then you have physical security problem and should call in
> the police, not a network security problem - to repeat, the
> e-smith server will not route packets to or from it's
> internal range so it's not possible for someone outside your
> network to 'sniff' internal addresses to pick up these
> internally routed clear text passwords.

I think you missed my point. A large percentage of network attacks originate behind the firewall. Physical security is only part of the problem, and it is true that if you haven't phsically secured you servers then you are open to a plethora of breaches. However, even a physically secure server is open to non-physical attack from the local network. This is such a problem that some companies go so far as to place a firewall between their workstations and their servers!

So, my point was that passing clear text passwords is unsafe, even if it is done on the local network with a firewall protecting you from any external networks.

Here's an example for you. A company encouraged it's employees to use PWS to create personal home pages. These were to be "get to know me" sites, project information sites, upcoming events, etc. All very innocuous and useful sounding things. One person hit upon the idea of creating a "project info" site that required users to register. So he created the form, asked for username and password, and lo and behold was granted instant access to a large number of user's network and email accounts. Including some of the top executives of the company.

Some may argue that allowing employees to create sites is a bad idea. Others will point out that it is a bad idea to use the same username/password for all accounts. However, the reality is that these things happen. Some even argue that because of such security failures, your system is at far greater risk from internal attack than from anything else.

> >And, if you are collecting mail from POP3 accounts
> >outside the firewall, then
> >you are still passing passwords in the clear over the
> >public Internet.
>
> To repeat, you shouldn't enable remote collection by pop.
> It's possible to do so in the manager but disabled by default
> in e-smith for the reason that it's insecure.

Again, not my point. I was referring to clients on the local network and behind the firewall, that are collecting mail from POP3 accounts that reside outside the firewall.  If you have a Yahoo! account and are getting you messages via POP3 using Email Client X, then your account info is passing across the public Internet in clear text. This has nothing to do with allowing users to collect their mail from e-smith via POP3. Ditto if you are using FTP to upload your personal web pages to some free server. And so on.

As I pointed out before, as most users do not maintain secure usernames and passwords and typically use the same ones for all accounts, then capturing any account info, whether gleaned from the local network or from the public Internet, whether due to POP3 mail collection or SMTP authentication or logging into a web site, will typically reveal the keys to the kingdom -- or at least that user's corner of the kingdom.

[Graeme Robinson]

Scott wrote:

>Some may argue that allowing employees to create sites is a bad idea. Others >will point out that it is a bad idea to use the same username/password for all >accounts. However, the reality is that these things happen. Some even argue >that because of such security failures, your system is at far greater risk from >internal attack than from anything else.

I don't doubt it Scott.  I don't have an answer to the vulnerabilities you describe except to say that security reviews should be performed regularly and with particular scrutiny to the provision of new internal services like user web creation schemes to nip such vulnerabilities in the bud.

However there are things you can do to circumvent the risk posed by the passing of clear passwords across the public network (and across the private network) that are likely to be the same user/pw combinations for real local server accounts.  In particular setting a password policy requiring regular changes will lead to passwords on the local net and other unrelated accounts moving out of sync.

[Charlie Brady]

Scott Smith wrote:

> Yes, but it is a question of options. Authenticated, secure
> SMTP should be an option. It is a valid concept, just as
> HTTP/S is a valid (and useful) concept. Whether it is
> available or not, or is currently practical? Well, that is
> another question

It is currently not practical. The SMTP daemon (smtpd from www.obtuse.com) is running in a very sterile chroot jail and (deliberately) does not have access to the password database. This makes it rather difficult to authenticate users. There's also the issue that there is no protocol support for Authenticated SMTP in smptd at the moment, and as far as I know, no-one is working on adding it.

Regards

Charlie

[Tim Larson]

This was done with e-smith 4.1.2.  It might work with other versions - I haven't tried.  Please review and send comments, suggessions, and improvements to above email address (after removing "dontspamme" part).

    It is in the interests of certain parties to secure email communications.  What I explain/propose here is a method to provide transfer of email using SMTP/POP3/IMAP over SSL.  The email is only secure between the mail server and the user accessing that email server.

For the HOWTO, goto
http://kepler.covenant.edu/~talarson/SSL.html

Questions that I still need help with:

1. Am I setting up the hosts.allow file properly? I'm not too familiar with hosts.allow, and I don't know if I might be opening up too many holes.

2. If anyone knows how to get Eudora to work with this setup, please let me know (Do I just have to get a signature from a CA?)

3. Can anyone tell me when my sending mail is secure?  When I'm using IMAPS, does mail I send go over the IMAPS connection, or via SMTP?  

4. Can anyone get SMTPS working with a mail client (like Eudora, Pegasus, Netscape, or Outlook) without using stunnel or the like on the client machine?

Comments welcome!

[Bruce]

I would have thought that there would be an e-Smith 4.1.3 by now with this included.  Given the secure nature of e-Smith Linux, one would think that this capability should be wrapped into a standard feature and made available to everyone out of the box (or off the CD, from the download, ????).

Someone should look at the user contributions that make sense, check them out, add them to the e-smith install/configure interface, and take it away!!!!