Topic: 5.5 & obtuse-smtpd-qmail-howto

[Brad Jennings]

Do you still need to install the obtuse-smtpd-qmail-howto when installing RAV antivirus on 5.5

[Nathan Fowler]

5.5 Doesn't run Obtuse SMTPD, it runs Mailfront, so that How-To would be null and void on E-Smith 5.5

Nathan

[Edgar]

Nathan, that means that we cannot use your pop-before-smtp hack? what can we do now?

[Nathan Fowler]

There isn't a real need for pop-before-smtp on E-Smith 5.5 because from what I understand E-Smith 5.5 w/MailFront supports SASL.  At this point I have no plans on porting pop-before-smtp to work on Mailfront, there may be third party implementations of the pop-before-smtp logic applied to Mailfront, I'm honestly not sure. SASL allows a user to login to the SMTP server with relay rights.  Keep in mind that 5.5 is still a little buggy and I question the security involved in SASL since system passwords are sent via plain-text in a non-encrypted fashion ( I guess the same holds true for POP3/IMAP, so I recommend using stunnel ).  What I do not know if E-Smith 5.5 has enabled Mailfront to do SASL by using cvm-sasl.  While SASL will support CRAM-MD5 there is a note on the cvm-sasl site saying:
Aof this writing, there are no CRAM-MD5 CVMs, so that functionality is completely untested. If $CVM_SASL_LOGIN is set, it is overrides $CVM_SASL_PLAIN for LOGIN authenticaiton.

Link to mailfront cvm-sasl:
http://untroubled.org/mailfront/cvm-sasl.html

My two cents:
I'd stick with Obtuse (E-Smith pre 5.5) until some of the bugs are worked out of Mailfront.

Hope this helped,
Nathan

[Edgar]

you got my vote!!

[Charlie Brady]

> I'd stick with Obtuse (E-Smith pre 5.5) until some of the bugs are worked out > of Mailfront.

What bugs Nathan? I'm unaware of any. Please report any that you are aware of to bugs@e-smith.com.

Charlie

[Bill Talcott]

We have a remote office stuck on dialup (dynamic IP) that is using SME 5.0 and Nathan's IMAP-before-SMTP for access. Will the users still be able to send mail like this if I upgrade to 5.5?

[Nathan Fowler]

Bill, see http://forums.contribs.org/index.php?topic=14336.msg54584#msg54584

Unless E-Smith 5.5 is using SASL with mailfront the same functionality you see in 5.2 via the x-before-smtp scripts would not be extended in 5.5.  I have no plans of porting the current x-before-smtp scripts over to mailfront (from Obtuse SMTPD) because of the existance of SASL.

Hope this helped,
Nathan

[Charlie Brady]

Nathan Fowler wrote:

> Unless E-Smith 5.5 is using SASL with mailfront the same
> functionality you see in 5.2 via the x-before-smtp scripts
> would not be extended in 5.5.

5.5 does not ship with SASL enabled, as mailfront does not yet support TLS (SSL), and we discourage use of cleartext passwords (or cleartext equivalent) over the Internet.

Regards

Charlie

[Nathan Fowler]

I don't recommend using plaintext passwords either, it may be possible to use stunnel to encrypt data communication with the SMTP server including SASL , however since I am still 4.1.2 and have no plans on updating it is unlikely that I will have a chance to look at doing such.  If you users are using pop3 over an internet pipe they are disclosing sensitive password information in plain-text.  I recommend using stunnel with securePOP.  If you search the forums I know I've posted the Howto.

Charlie, as always, thanks for your time.

Nathan

[Bill Talcott]

I read that, and got the impression that it was possible to do with the new setup, but wasn't sure if it was actually implemented. Charlie explained that satisfactorily. Guess I'll stick with what we have for a bit longer...

[Bill Talcott]

Nathan Fowler wrote:
>
> supports SASL.  At this point I have no plans on porting
> pop-before-smtp to work on Mailfront, there may be third
> party implementations of the pop-before-smtp logic applied to
> Mailfront, I'm honestly not sure. SASL allows a user to login

Is http://untroubled.org/mailfront/ the same Mailfront that SME uses? Would http://untroubled.org/relay-ctrl/ work for our situation? Or is that what's built-in already? I get confused with qmail and Obtuse and Mailfront and all these different things that seem like they're doing the same thing... All this is from http://qmail.mirrors.summersault.com/top.html#addons FYI, which I got from a Google search...

Ah, found http://www.mail-archive.com/devinfo@lists.e-smith.org/msg08704.html a little further down the search results. Guess they are the same. So would relay-ctrl work then?

[Nathan Fowler]

Relay control is what you want to do, that is what pop-before-smtp does, however, there are quite a few dependencies in there that I'm not sure about (relay-ctrl), personally I'd try to get SASL working first, it appears to be a better option.  Relay-ctrl appears to be more like pop-before-smtp.

That's my two cents.

SASL allows you to directly "log" into the SMTP server without the need to authenticate with a POP/IMAP server.  Relay-Ctrl is more like the existing pop-before-smtp method that you are accustomed to, where you must first connect to a POP/IMAP daemon before you can relay.

Hope this helped,

Nathan

[Bill Talcott]

Is the relay-ctrl/___-before-smtp more or less secure than the current SASL (the way it sends plaintext passwords)? I'm more concerned about sending plaintext passwords than about an unauthorized person getting relay access for a few minutes. It's not a big deal that they have to check their mail before sending, as they usually do anyway. Does this SASL login require any additional logins, or is this transparent to the user also (by using the supplied POP/IMAP login info or something)?

Thanks again for answering all my dumb questions. One of these days I'll finally know everything. =)

[Nathan Fowler]

Not to worry, none of the questions you have asked could possibly be viewed as dumb.

SASL is more secure than x-Before-SMTP because my implementation of the pop-before-smtp logic does is not based on successful authorization, but rather a connection.  SASL and Relay-Ctrl both send passwords in plain-text.  You are disclosing sensitive password information in unencrypted text every time you POP to your server, this is why I recommend using stunnel + pop3.

SASL requires the user to "Login to the SMTP server."  Most E-Mail clients support this option, I believe Microsoft calls it "My server requires me to login to send mail".  Personally, I don't know what to thing of mailfront.  I don't have any experience with it so I really don't have any grounds to formulate a real opinion of either.  What I can say is I don't like sending cleartext or unencrypted passwords period.  It depends on your view of security to determine if it is more or less secure.  One method (SASL/Relay-CTRL) using plain-text can compromise the user account. x-before-smtp with stunnel will not leak any password information, at a worse case scenario you become a open relay for a specific user for a limited amount of time.

Bill, by the way, upgrade your pop-before-smtp (http://www.stickit.nu/pop-before-smtp), I just released a new version today.

Nathan