Topic: SME 5.6 and I-Net Email

[Joseph]

Rick....thanks for the short term solution as it looks like it should work for now.  I will do as you as say as you seem to know more about this then I do.  In the long run, i dont know if your suggestions are a true "solution" to my problem.  I prefer all outside users to use WebMail to check email, but those pesky bosses and sales persons on the road like Outlook as they can sync emails with their Blackberrys/Palm Pilots and are hard to get them to change.

Again, thanks to all that gave me advice tonight/this morning!

~Joseph

[Andrej]

I have the same problem... But my clients using only two locations with known IP adresses. If this is the same in your case, just put those (say safe) IPs into the Loacl Networks - leaving ROUTER BLANK. Users from those IP range will be granted to send mails using SMTP !!!

Cheers,

Andrej

[Kelvin]

Hi Joseph,

I'm a little surprised no one aside from Cyrus has brought this up after all this discussion. Unfortunately Cyrus appears to have missed out giving you the link :-

http://www.stickit.nu/pop-before-smtp/

Kelvin

[Bill Talcott]

Nathan's pop-before-smtp does not work with mailfront, so it only works on SME 5.1.2 and older. Mailfront doesn't use the smtpd_check_rules file that the script modifies to allow access. The script still works fine, but the changes made by the script aren't seen by the new mail program.

Damien's SASL contrib *does* have the option to allow authorized SMTP without SSL. I can't vouch that it works in that setup, but it's great over SSL. http://www.pagefault.org/code/e-smith.shtml#securemail

[Michael Soulier]

Joseph wrote:
>
> Rick....thanks for the short term solution as it looks like
> it should work for now.  I will do as you as say as you seem
> to know more about this then I do.  In the long run, i
> dont know if your suggestions are a true "solution" to my
> problem.  I prefer all outside users to use WebMail to check
> email, but those pesky bosses and sales persons on the road
> like Outlook as they can sync emails with their
> Blackberrys/Palm Pilots and are hard to get them to change.

Joseph,

Preventing an open relay requires restriction of those permitted to use the smtp server. There's just no getting around that fact. These external clients of yours are paying an ISP good money for several services, including a pipe to the internet and an outgoing mail server. That is what it's there for. So far, I've only had one ISP check the return address of outgoing mail, and suffice it to say that I'm no longer one of their customers.

If, for some reason I cannot fathom beyond braindead ISPs, your clients _must_ use your server as their smtp server, then I would suggest the only secure way that can be done is a VPN. Either that, or they use Webmail while out of the office.

Using the ISP's mail server is, IMHO, the proper solution.

Mike

[Kelvin]

> Nathan's pop-before-smtp does not work with mailfront

Oops ! My mistake (been around 5.1.2 too long !).

Kelvin

[Bill Talcott]

Michael  Soulier wrote:
>
> If, for some reason I cannot fathom beyond braindead ISPs,
> your clients _must_ use your server as their smtp server,
> then I would suggest the only secure way that can be done is
> a VPN. Either that, or they use Webmail while out of the
> office.

It's a pain to use the ISP's SMTP server, especially for people who move around a lot and use several ISPs. For relatively clueless users, having to monkey with SMTP settings is nearly impossible.

SME is a very capable server on which you already have an account. Why not use its SMTP server anywhere on earth you happen to be?

Unless there's some sort of bug with Damien's contrib (highly unlikely, but I haven't tried it myself), http://forums.contribs.org/index.php?topic=16934.msg65600#msg65600 contains the solution. Users just have to check the "My server requires authentication" box, and you have SMTP access for all of your accounts without opening it up to any unauthorized users.

[James Shields]

Joseph,

I am not sure why you do not want to use the "securemail" package. As explained by Bill Talcott, you do not have to use SSL, and it still allows authenticated users to send email from your server using SMTP.

I have users in Australia, that have ISP's ranging from Telstra BigPond (Australia's largest ISP) to many small regional ISP's as well as some Australian AOL users. They all authenticate against my server (without SSL) and send/receive emails.

Having said that, I have one user who uses my server for incoming mail (POP), but uses his ISP (iPrimus) for sending (SMTP), Like other users have discussed, all he does is change his reply address to the account on my server, rather than email address provided by his ISP.

Hope you get it sorted.

James

[Steve Crowers]

Just out of curiosity,

"you don't have to use SSL"...

I didn't see this mentioned on the website (url in a previous post).  Bearing in mind that I haven't instlled the RPM's yet, does this mean that it supports SMTP AUTH?  is it in Plain mode? Given the multitude of email clients (some of which either don't support SSL or it's flaky), the least common denominator (and still providing "some" protection) would be plain AUTH.

I'm surprised that no-one has posted an rpm with a patch to support this yet.  I've only seen source code patches (which require that I install dev tools on my server).

I'd like to get a bit more info before mucking around on my server...

Thanks,

Steve

[Bill Talcott]

Steve Crowers wrote:
>
> Just out of curiosity,
>
> "you don't have to use SSL"...
>
> I didn't see this mentioned on the website (url in a previous
> post).  Bearing in mind that I haven't instlled the RPM's
> yet, does this mean that it supports SMTP AUTH?  is it in
> Plain mode? Given the multitude of email clients (some of
> which either don't support SSL or it's flaky), the least
> common denominator (and still providing "some" protection)
> would be plain AUTH.
>
> I'm surprised that no-one has posted an rpm with a patch to
> support this yet.  I've only seen source code patches (which
> require that I install dev tools on my server).
>
> I'd like to get a bit more info before mucking around on my
> server...

http://www.pagefault.org/code/e-smith.shtml#securemail
----------------------------------------
* Sat Jan 04 2003 Damien Curtain

- Include seperate ssmtpfront-qmail variables.
- SASL can now be set either on smtp or ssmtp or both.
----------------------------------------

Just install the RPMs, choose the options in Server Manager, and it works. That's all there is to it. There are instructions after each file's section. You can just install the RPMs, then issue a single "/sbin/e-smith/signal-event post-upgrade", rather than doing it after each file (to save time).

Remember that non-SSL email is sent plaintext over the internet. Whenever possible, you should use the secure versions so that your password is encrypted.