Topic: Clearifying issue on password/SMTP

[Lars Thorelius]

I use my e-smith as a mail server for a few accounts. This works perfectly, e-smith is a reliable POP3 server to mail retrieval from the internet. Some of my e-mail clients are not within my LAN, so I would like them to be able to change their passwords from the Internet. I haven´t found a way to get access to the /e-smith-password page from the Internet. Is this not supposed to be possible?

Also, e-smith will not act as a SMTP-server for "unregistered" domains when addressed as an SMTP-server from the Internet. Can this be worked around?

Regards
Lars

[Justin]

The e-smith-password page is not accessible from the Internet for security reasons. If you are planning on opening it to the Internet within the Apache configuration files I would recommend requiring the use of an SSL connection for the users to prevent someone from sniffing out the new password as the user entered it.

If you were to open up your SMTP server to unregistered domains it would be trivial for someone to trick your e-smith server into being an open mail relay and use it for mass emailers, Spamming etc.

I highly recommend not doing either of these actions and finding alternative solutions to them.

[Charlie Brady]

Lars Thorelius wrote:

> I use my e-smith as a mail server for a few accounts. This
> works perfectly, e-smith is a reliable POP3 server to mail
> retrieval from the internet. Some of my e-mail clients are not
> within my LAN, so I would like them to be able to change their
> passwords from the Internet. I haven´t found a way to get
> access to the /e-smith-password page from the Internet. Is this
> not supposed to be possible?

It's not supposed to be possible.  See http://www.e-smith.org/faq.php3#q3 and http://www.e-smith.org/faq.php3#q6.

> Also, e-smith will not act as a SMTP-server for
> "unregistered" domains when addressed as an
> SMTP-server from the Internet. Can this be worked around?

I don't understand what you mean by "unregistered" domains. If you elaborate, someone may be able to help you.

regards

Charlie

[Lars Thorelius]

Charlie and Justin,
thank you for your convincing comments.

Charlie Brady wrote:
> I don't understand what you mean by "unregistered"
> domains. If you elaborate, someone may be able to help you.

In http://www.e-smith.org/faq.php3#q6 there is the following line: "By default the POP3 server is configured to deny remote access, since POP3 is not a secure protocol."
If I understand this the right way, my users are not supposed to retrieve their e-mail remotely from the internet. But on my e-smith remote POP3-retrieval works perfectly... and I use e-smith 4.0 totally "as is", not reconfigured in any way.

I will exemplify what I mean by "unregistered domains":

A virtual domain name in my e-smith server is "myvirtdom.com". I can use my e-smith remotely from the internet as an SMTP server to send e-mails to addresses such as "me@myvirtdom.com" (and any other virtual domain, or the primary one), but not to send e-mails to "any@otheraddress.com" orany randomly chosen recipient addresses.

>Justin wrote:

>If you were to open up your SMTP server to unregistered domains it would be trivial >for someone to trick your e-smith server into being an open mail relay and use it for >mass emailers, Spamming etc.

A "public" e-mail service that I use can be used as an SMTP-server from anywhere on the internet as long as I supply my username and password, and then I can use it to send e-mail to anyone. With username and password for access, why is e-smith so easy to trick into using as a spammer?

Regards
Lars