Topic: smpt-auth displayed in email message

[zbyszko]

Hello all,
I installed SME9 as a mail server and found that you can see in message Linux account username.

I found similar topic in 2009 in SME7.4
http://forums.contribs.org/index.php/topic,44171.msg212021.html#msg212021

Is there any new solution to hide username from that time or meybe is it possible to change qmail to other mail deamon?

Regards,
Zbyszko

[Stefano]

hi, welcome here.

you'd tell us what are you trying to achieve and why.. as you (maybe) have seen in the 3ad you linked, such an information is usefull for debug purpose

anyway, ATM and AFAIK, there's no way to to it without editing qpsmtpd core as suggested

regarding the idea of moving from qmail to $whatever, I observ that such a feature is inside qpsmtpd and so qmail is not involved.. movig to postfix, exim or another mta requires a full rewriting of all email related fragments/templates/events.. in other word, tha answer is "yes, but it won't be easy nor implemented here nor supported here"

[Daniel B.]

You can take a look at http://repo.firewall-services.com/centos/5/noarch/smeserver-qpsmtpd-anonymizereceived-0.1-3.el5.fws.noarch.rpm

One of my client was bothered by this too, so I wrote this little qpsmtpd plugin to anonymize this. I haven't recompiled it for SME9, but it should work as is.

[zbyszko]

Hi,
The reason is for security issue. If you know system login name it is easier to go into the system than if you did not.
Thank You for your reply.
Regards,
Zbyszko

[zbyszko]

You can take a look at http://repo.firewall-services.com/centos/5/noarch/smeserver-qpsmtpd-anonymizereceived-0.1-3.el5.fws.noarch.rpm

One of my client was bothered by this too, so I wrote this little qpsmtpd plugin to anonymize this. I haven't recompiled it for SME9, but it should work as is.

Hi,
Thank You for your information. I will try to test and use it.
Zbyszko

[Stefano]

Hi,
The reason is for security issue. If you know system login name it is easier to go into the system than if you did not.
Thank You for your reply.
Regards,
Zbyszko

The security is achieved using strong and secure passwords
Security by obscurity is never a good choice

[zbyszko]

You can take a look at http://repo.firewall-services.com/centos/5/noarch/smeserver-qpsmtpd-anonymizereceived-0.1-3.el5.fws.noarch.rpm

One of my client was bothered by this too, so I wrote this little qpsmtpd plugin to anonymize this. I haven't recompiled it for SME9, but it should work as is.

I installed it and at this moment seems to be quite good.
Thanks.

[zbyszko]

The security is achieved using strong and secure passwords
Security by obscurity is never a good choice

I think in time of parallel computing there is no strong and secure passwords. You need time and sufficient machine to guess password.
I agree with You security that use Only obscurity in not good way.

This topic is more sophisticated than 2 to 4 sentences from you or me.

[Daniel B.]

I think in time of parallel computing there is no strong and secure passwords. You need time and sufficient machine to guess password.

You can install fail2ban to reduce this risk. Brutforcing a password when you only have 3 tries per 15 min per IP (or you're banned for half an hour) is less likely to work

[Stefano]

I agree with Daniel..
strong password, access policies, services monitoring.. that's the way..
hiding info gives you a false sense of security

[zbyszko]

I agree with Daniel..
strong password, access policies, services monitoring.. that's the way..
hiding info gives you a false sense of security

hmm, so why it gays do not write login names on their webpages ? (of course it is joke)
Why other mail deamon does not write such information in message ?

In other words:
strong password -> yes
access policies -> yes
service monitoring -> yes
fail2ban -> yes
denyhosts -> yes
snort -> yes
time based acl -> yes
content filtering -> yes
ips & ids - > yes
many other things like above  -> yes
hiding unnecessary information -> why not ? who write banks private account in email footer ?

Is there any solution that gives you 100% assurance that your system is secure ? No and never be.

BTW fail2ban will not detecting login attempts which will be very rare in time but  I think it is still good solution.

Z.

[Stefano]

BTW fail2ban will not detecting login attempts which will be very rare in time but  I think it is still good solution.

AFAIK it does.. do you have any evidence?

[zbyszko]

AFAIK it does.. do you have any evidence?

Interesting.. meybe I do not know about it. I will check it.
Thanks.

[Daniel B.]

fail2ban will detect every failed login attempt which are logged (well, only for the configured services). But it'll only ban IP after a threshold is reached. Three parameters are available:

- The time window to look (default is 15 minutes)
- The number of failed login attempts detected in the last time window (default is 3)
- The duration of the ban (default is 30 minutes)