Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Brad Jennings on July 03, 2002, 06:42:23 PM
-
Do you still need to install the obtuse-smtpd-qmail-howto when installing RAV antivirus on 5.5
-
5.5 Doesn't run Obtuse SMTPD, it runs Mailfront, so that How-To would be null and void on E-Smith 5.5
Nathan
-
Nathan, that means that we cannot use your pop-before-smtp hack? what can we do now?
-
There isn't a real need for pop-before-smtp on E-Smith 5.5 because from what I understand E-Smith 5.5 w/MailFront supports SASL. At this point I have no plans on porting pop-before-smtp to work on Mailfront, there may be third party implementations of the pop-before-smtp logic applied to Mailfront, I'm honestly not sure. SASL allows a user to login to the SMTP server with relay rights. Keep in mind that 5.5 is still a little buggy and I question the security involved in SASL since system passwords are sent via plain-text in a non-encrypted fashion ( I guess the same holds true for POP3/IMAP, so I recommend using stunnel ). What I do not know if E-Smith 5.5 has enabled Mailfront to do SASL by using cvm-sasl. While SASL will support CRAM-MD5 there is a note on the cvm-sasl site saying:
Aof this writing, there are no CRAM-MD5 CVMs, so that functionality is completely untested. If $CVM_SASL_LOGIN is set, it is overrides $CVM_SASL_PLAIN for LOGIN authenticaiton.
Link to mailfront cvm-sasl:
http://untroubled.org/mailfront/cvm-sasl.html
My two cents:
I'd stick with Obtuse (E-Smith pre 5.5) until some of the bugs are worked out of Mailfront.
Hope this helped,
Nathan
-
you got my vote!!
-
> I'd stick with Obtuse (E-Smith pre 5.5) until some of the bugs are worked out > of Mailfront.
What bugs Nathan? I'm unaware of any. Please report any that you are aware of to bugs@e-smith.com.
Charlie
-
We have a remote office stuck on dialup (dynamic IP) that is using SME 5.0 and Nathan's IMAP-before-SMTP for access. Will the users still be able to send mail like this if I upgrade to 5.5?
-
Bill, see http://forums.contribs.org/index.php?topic=14336.msg54584#msg54584
Unless E-Smith 5.5 is using SASL with mailfront the same functionality you see in 5.2 via the x-before-smtp scripts would not be extended in 5.5. I have no plans of porting the current x-before-smtp scripts over to mailfront (from Obtuse SMTPD) because of the existance of SASL.
Hope this helped,
Nathan
-
Nathan Fowler wrote:
> Unless E-Smith 5.5 is using SASL with mailfront the same
> functionality you see in 5.2 via the x-before-smtp scripts
> would not be extended in 5.5.
5.5 does not ship with SASL enabled, as mailfront does not yet support TLS (SSL), and we discourage use of cleartext passwords (or cleartext equivalent) over the Internet.
Regards
Charlie
-
I don't recommend using plaintext passwords either, it may be possible to use stunnel to encrypt data communication with the SMTP server including SASL , however since I am still 4.1.2 and have no plans on updating it is unlikely that I will have a chance to look at doing such. If you users are using pop3 over an internet pipe they are disclosing sensitive password information in plain-text. I recommend using stunnel with securePOP. If you search the forums I know I've posted the Howto.
Charlie, as always, thanks for your time.
Nathan
-
I read that, and got the impression that it was possible to do with the new setup, but wasn't sure if it was actually implemented. Charlie explained that satisfactorily. Guess I'll stick with what we have for a bit longer...
-
Nathan Fowler wrote:
>
> supports SASL. At this point I have no plans on porting
> pop-before-smtp to work on Mailfront, there may be third
> party implementations of the pop-before-smtp logic applied to
> Mailfront, I'm honestly not sure. SASL allows a user to login
Is http://untroubled.org/mailfront/ the same Mailfront that SME uses? Would http://untroubled.org/relay-ctrl/ work for our situation? Or is that what's built-in already? I get confused with qmail and Obtuse and Mailfront and all these different things that seem like they're doing the same thing... All this is from http://qmail.mirrors.summersault.com/top.html#addons FYI, which I got from a Google search...
Ah, found http://www.mail-archive.com/devinfo@lists.e-smith.org/msg08704.html a little further down the search results. Guess they are the same. So would relay-ctrl work then?
-
Relay control is what you want to do, that is what pop-before-smtp does, however, there are quite a few dependencies in there that I'm not sure about (relay-ctrl), personally I'd try to get SASL working first, it appears to be a better option. Relay-ctrl appears to be more like pop-before-smtp.
That's my two cents.
SASL allows you to directly "log" into the SMTP server without the need to authenticate with a POP/IMAP server. Relay-Ctrl is more like the existing pop-before-smtp method that you are accustomed to, where you must first connect to a POP/IMAP daemon before you can relay.
Hope this helped,
Nathan
-
Is the relay-ctrl/___-before-smtp more or less secure than the current SASL (the way it sends plaintext passwords)? I'm more concerned about sending plaintext passwords than about an unauthorized person getting relay access for a few minutes. It's not a big deal that they have to check their mail before sending, as they usually do anyway. Does this SASL login require any additional logins, or is this transparent to the user also (by using the supplied POP/IMAP login info or something)?
Thanks again for answering all my dumb questions. One of these days I'll finally know everything. =)
-
Not to worry, none of the questions you have asked could possibly be viewed as dumb.
SASL is more secure than x-Before-SMTP because my implementation of the pop-before-smtp logic does is not based on successful authorization, but rather a connection. SASL and Relay-Ctrl both send passwords in plain-text. You are disclosing sensitive password information in unencrypted text every time you POP to your server, this is why I recommend using stunnel + pop3.
SASL requires the user to "Login to the SMTP server." Most E-Mail clients support this option, I believe Microsoft calls it "My server requires me to login to send mail". Personally, I don't know what to thing of mailfront. I don't have any experience with it so I really don't have any grounds to formulate a real opinion of either. What I can say is I don't like sending cleartext or unencrypted passwords period. It depends on your view of security to determine if it is more or less secure. One method (SASL/Relay-CTRL) using plain-text can compromise the user account. x-before-smtp with stunnel will not leak any password information, at a worse case scenario you become a open relay for a specific user for a limited amount of time.
Bill, by the way, upgrade your pop-before-smtp (http://www.stickit.nu/pop-before-smtp), I just released a new version today.
Nathan
-
Hmmmm, do you know if http://kepler.covenant.edu/~talarson/ssl/SSL-Email-HOWTO-2.html still applies to 5.0 and 5.1.2? I didn't realize how much was sent plaintext...
-
Yes, they will still function in 4.1.2+, however, there are some changes that I found necessary in that howto. Let me get the modified how-to...:
http://forums.contribs.org/index.php?topic=4146.msg14367#msg14367
Note that
/usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd was changed to /usr/sbin/stunnel -d smtps -l /usr/sbin/smtpd -n smtp
It is necessary to define the daemon type if using SMTP.
Hope this helped,
Nathan
-
Does anyone have the http://forums.contribs.org/index.php?topic=4146.msg14367#msg14367 HowTo working on 5.5? This worked fine for me on 5.0 but now that I upgraded to 5.5 no luck. Wondering if it just me or if the HowTo does not work for 5.5 Thanks,
Shelby
-
Where does the process break down?
Nathan
-
Trying to send an email to myself in Outlook I get the following message from outlook:
The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was 'shelbym@v-cut.com'. Subject 'test', Account: 'www.v-cut.com', Server: 'www.v-cut.com', Protocol: SMTP, Server Response: '421 Service not available, closing transmission channel', Port: 465, Secure(SSL): Yes, Server Error: 421, Error Number: 0x800CCC79
Checking the maillog on SME 5.5 I see this:
Jul 11 10:54:24 waterboy smtpd[5037]: SMTP HELO from localhost(127.0.0.1) as "layout001"
Jul 11 10:54:24 waterboy smtpd[5037]: mail from
Jul 11 10:54:24 waterboy smtpd[5037]: Can not stat address check file /etc/smtpd_check_rules (No such file or directory)!
Jul 11 10:54:24 waterboy smtpd[5037]: Missing or empty address check file - Abandoning session
smtpd_check_rules is there. I am new to all this so I am not sure what else the log might be telling me. Any ideas?
Shelby
-
Hmmmmm
I know I'm an idiot, but does anyone know where the best place to set the environment variable to make mailfront authenticate for relay?
-
David, you're question is very valid, and you know what? I have no clue. I can't find any decent documentation for mailfront, and Charlie states that all qmail documentation can be applied to mailfront. You're best bet for support would be at their mailing list.
I would check out:
http://lists.em.ca/?list=bgware
More specifically:
http://lists.em.ca/?command=showthread&list=bgware&month=200207&threadid=fgknnknphnlalfhbjogm
Good luck the developers for Mailfront appear to be real cocks (excuse my language).
Nathan
-
David, if you ever wanted to revert back a version from SME 5.5 you could always use http://www.stickit.nu/pop-before-smtp. Relay-Control would be more powerful if you can get it working. Please take detailed notes along the way so you could compile a meager HowTo to assist others. Relay Control is a hot topic and as it stands now, no one has the answer.
Nathan
-
Nathan Fowler wrote:
> Good luck the developers for Mailfront appear to be real
> cocks (excuse my language).
No, I will not excuse your language! The developer of Mailfront has made an excellent package available to you at no cost. What have you ever done for him?
CB
-
I will not get involved in this.
Thanks,
Nathan
-
Nathan Fowler wrote:
> I will not get involved in this.
That's rather cowardly of you, Nathan, given that it was your gratuitous insult which raised the issue in the first place. You *are* involved, and should just apologise.
Regards
Charlie
-
I'm going to try to dig up some documentation I have on Qmail, but I'm thinking that might have to go back to 5.1.2 for now.
Thanks again for the help!!!
-
Looks like I am headed back myself. Any one else have any ideas how to get this to work on 5.5?
Thanks,
Shelby
-
> 5.5 does not ship with SASL enabled,
> as mailfront does not yet support TLS (SSL),
> and we discourage use of cleartext passwords
> (or cleartext equivalent) over the Internet.
So what do I do, if I use 5.5 and my ISP only supports SMTP auth?
Stefan