Topic: Sending mails with sender-dependent authentication

[ff]

Hello,
SME Server shall make a mail exchange with the external mailserver of our hoster. For relaying mails this server is expecting the same authentication per username and password as fetchmail it does when fetching mails from there. I tried realizing this with postfix/dovecot, but the configuration is - to put it mildly - not simple. My search for a free/inexpensive and stable mailserver with this capability was not successfull by now. Is there a plugin or method to realize this with SME Server? I say thanks for any answer.
Gerhard

[ReetP]

Hello,
SME Server shall make a mail exchange with the external mailserver of our hoster. For relaying mails this server is expecting the same authentication per username and password as fetchmail it does when fetching mails from there. I tried realizing this with postfix/dovecot, but the configuration is - to put it mildly - not simple. My search for a free/inexpensive and stable mailserver with this capability was not successfull by now. Is there a plugin or method to realize this with SME Server? I say thanks for any answer.
Gerhard

Hi Gerhard,

I am not aware of any mail servers that will individually authenticate each user account to an upstream smarthost. I don't believe that SMTP was really designed that way for communications between servers....

My guess is that you are trying to interface with an Office 365 solution from your ISP - http://forums.contribs.org/index.php/topic,49452.msg247091.html

If this is the case I am not sure you are going to be able to achieve what you want. By forcing individual authentication for sending via SMTP your ISP is trying to prevent you from using your current setup and wants to sell you lots of individual accounts.

I was faced with the same issue and that was when I realised it was cheaper to get my own cloud server and host all my mail myself..... my ISP cannot hold me to ransom any longer.

You could look at finding a paid for smart host somewhere.

Or change your ISP !

Sorry that this is not the news that you wanted to hear, but I don't know of another alternative.

B. Rgds
John

[ff]

Hello John,
thank you for your answer. But no, it has nothing to do with Office 365. There's a closely and confident cooperation between us and our hoster about many years. Explaining all the reasons for this necessity would be to much for this post. I can only say that i need this capability. I know that postfix can realize it in answer to all the problems resulting from the inexpressibly spam trouble we all have to manage.
Gerhard

[ReetP]

Hello John,
thank you for your answer. But no, it has nothing to do with Office 365. There's a closely and confident cooperation between us and our hoster about many years. Explaining all the reasons for this necessity would be to much for this post. I can only say that i need this capability. I know that postfix can realize it in answer to all the problems resulting from the inexpressibly spam trouble we all have to manage.
Gerhard

No problems.

At the end of the day, mail servers that relay mail were not really designed with individual authentication between servers in mind.

You should either just use the mail server at your ISP, or use SME as a mail server in its own right.

I know this is not what you really want to hear, but that's the way things were designed.

Currently SME does not use postfix, though we may look at that in the future.

As a matter of interest, if you search the forums I noticed that someone did install postfix on SME some while ago. You can tell qpsmtpd to use postfix as the backend I believe - http://wiki.contribs.org/Email#qpsmtpd.

There was even a package that helped you switch. I am trying to see if I can get hold of this as we could possibly look at a contrib. However, this will not be happening any time soon unless we get a volunteer to build it !

http://forums.contribs.org/index.php?topic=27861.0
http://lists.contribs.org/pipermail/devinfo/2004-June/006761.html

I believe some have also installed open-xchange with postfix :
http://forums.contribs.org/index.php?topic=31511.0
http://forums.contribs.org/index.php?topic=32657.0



B. Rgds
John

[Stefano]

I know that postfix can realize it

could you please tell us how? in this way we could find the way to make SME work in the same way

Indeed....

I think you need to look at what happens with authent against Office 365 which requires individual user authent - a few links.... Google for stuff like 'Postfix with Office 365' :

http://serverfault.com/questions/379013/postfix-relay-to-office365
https://community.office365.com/en-us/f/158/t/17823

you can always use SME as your SMTP server (and users must auth to send emails) and then relay emails using a smarthost (authentication required)

The issue is that you can authent individually to SME but it is when SME tries to relay on to the ISP smarthost. I think the ISP smarthost requires individual authent from who ever passes it mail.

I (and many others) came unstuck on this when my ISP moved to Office 365. I had been using their smarthost to relay mail - it only needed one authenticated account. But Office 365 required each mail to be individually authenticated against the particular user.

It was easier to get my own server and do it all myself.

[CharlieBrady]

I can only say that i need this capability.

I'm sorry, you are out of luck - you cannot have it. The SME server doesn't have copies of your user's passwords at the ISP, and cannot authenticate using them at the ISP.

Your users, however, can bypass SME server, and send directly to your ISP's mail server. Any local mail can then be sent back to SME server by the ISP.

To put it another way, we don't understand why you want to relay your users' emails twice, once by SME server and once by the ISP, when they can just go straight to the ISP's mail relay.

[ReetP]

I'm sorry, you are out of luck - you cannot have it. The SME server doesn't have copies of your user's passwords at the ISP, and cannot authenticate using them at the ISP.

Not with qmail/qpsmtpd.... there is a possibility with Postfix. For ref :

http://www.postfix.org/SMTPD_PROXY_README.html

And for those that have used fetchmail..... users and passwords are all there.

Your users, however, can bypass SME server, and send directly to your ISP's mail server. Any local mail can then be sent back to SME server by the ISP.

Yes you can bypass your SME and deal direct with the ISP, but then your mail stays with the ISP which you may not want. Sending copies back et al is just messy. Where does your Sent mail end up ? The Inbox ?

To put it another way, we don't understand why you want to relay your users' emails twice, once by SME server and once by the ISP, when they can just go straight to the ISP's mail relay.

I do....

Because recent changes in a lot of ISPs mean that you cannot use one login to the ISP smarthost to relay/forward on your mail. If you are also stuck with some crummy IP that gets blocked a lot as it is in a 'residential' IP block, then using the ISP smarthost was useful, or the only way to reliably send email and still keep it all stored on your own server.

For sure in the UK some ISPs were not happy at people running their own server for business on a single IP and wanted to leverage them to pay more. Moving to products like 365 did this as you have to authent on a per user basis to use the smarthost which effectively kills you using SME as you mail host. It's why I changed to running my cloud box, and a lot of people I knew did the same thing.

This is not the specific case for this user, but the principal is the same.

[CharlieBrady]

Not with qmail/qpsmtpd.... there is a possibility with Postfix. For ref :

http://www.postfix.org/SMTPD_PROXY_README.html

That doesn't seem to have anything to do with outbound authentication to me.

And for those that have used fetchmail..... users and passwords are all there.

That's only the case when a fetchmail contrib is used, and where all users use that feature. It is also a security flaw with that contrib. Keeping plaintext passwords on the server is a bad idea.

[CharlieBrady]

Yes you can bypass your SME and deal direct with the ISP, but then your mail stays with the ISP which you may not want.

That depends, I'm sure on how the domain and the ISP are configured, and will vary from case to case.

For sure in the UK some ISPs were not happy at people running their own server for business on a single IP and wanted to leverage them to pay more.
...
This is not the specific case for this user, but the principal is the same.

It sounds like this is a real issue, but it's getting off-topic for this thread. Perhaps it should be addressed in the bug tracker. From what you say something goes wrong when you use one user at the ISP smarthost. Sounds like a bug report for that is a good place to start.

[ReetP]

That depends, I'm sure on how the domain and the ISP are configured, and will vary from case to case.

Not sure how sent mails that bypass SME would end up back in the sent mails for a user ?

It sounds like this is a real issue, but it's getting off-topic for this thread. Perhaps it should be addressed in the bug tracker. From what you say something goes wrong when you use one user at the ISP smarthost. Sounds like a bug report for that is a good place to start.

I'll do one as I think it is an issue for some users.

[CharlieBrady]

Not sure how sent mails that bypass SME would end up back in the sent mails for a user ?

The 'Sent mail' folder doesn't get populated via SMTP or the smart host. It's usually a local or IMAP folder.

[ReetP]

qpsmtpd cannot perform individual user authentication to smarthost

http://bugs.contribs.org/show_bug.cgi?id=9050

[ff]

Thank you for all the answers and postings. Because i live in germany and my english is not the best, it's not easy to follow the discussion. Stefano asked how postfix realizes the sender dependent authentication. In the article http://www.postfix.org/SASL_README.html there is a chapter named "Configuring Sender-Dependent SASL authentication", where you can find the description, or, in german, if anyone can translate it, you find a good HowTo under https://wiki.ubuntuusers.de/Postfix/Erweiterte_Konfiguration#Sender-abhaengige-Authentifizierung. BTW: i will use the fetchmail plugin for all users. Thank you.
Gerhard