Sorry the SMTP half of this mail is off-topic, but since a lot of you use qmail, and since this information may be valuable to many of you, I thought I'd ask here before finding a more appropriate list to subscribe to. If I end up finding the answer elsewhere, I'll post the results here for your information...
I currently have qmail+bincimap set up such that: * POP3: I have qmail-pop3d + stunnel listening on the pop3s port. * IMAP: I have bincimap running in both SSL and non-SSL mode, with non-SSL logins disabled. * SMTP: I have qmail-smtpd listening on the smtp port, and stunnel on the smtps port. I use the smtp-auth patch so that users can use the smtp server from outside of the LAN (even within the LAN, one needs to auth to send to a non-internal address). POP3 is exactly how I want it - no non-SSL service at all. I would like to disable bincimap from running on the imap port at all, only accessible via imaps. Is this possible without using iptables (which I'd rather avoid unless absolutely necessary - it seems like the wrong solution to the problem)? I have to keep an smtp service running, since remote mailservers only deliver to smtp (AFAIK). However I want SMTP auth to be used ONLY on smtps - not permitted on smtp. Again, I could solve this the "wrong" way by having two qmail-smtpd binaries, one without the smtp-auth patch for smtp, and the patched version for smtps. Does anyone know a better way of doing this (i.e. with a single binary to maintain)? Desired end result: IMAPS server running on the IMAPS port (done). Nothing listening on the IMAP port. POP3S server running on the POP3S port (done). Nothing listening on the POP3 port (done). SMTPS server running on the SMTPS port w/smtp-auth (done). SMTP server running on the SMTP port for local delivery only - no auth. Any advice is appreciated. Once I get it figured out, I'll make a public document on using qmail and bincimap in this manner to setup a complete, 100% secure mail server solution, without allowing the possibility of transmitting a password in cleartext over the wire/airwaves. If I'm ambitious enough, I might also cover setting up apache as an HTTPS server, using redirection to HTTPS when the user loads the site via HTTP, and configuration of Squirrelmail+plugins for bincimap (some small patches are needed in a couple places, but hopefully the appropriate authors will implement these fixes soon) to deliver a secure IMAP-based webmail solution as well. On another note, my server has several domain names, however the secure services (i.e. IMAPS) will cause a certificate warning due to domain mismatch if you try to connect to it by one of the alternate domains. Is there a way to make a single certificate cover multiple domains, or is there another solution to this? Thanks in advance, -- Casey Allen Shobe Open Source Software Solutions [EMAIL PROTECTED]
