Hi Casey,
Here is my set up:
/service/qmail-receive
- rblstmpd protected
- qmail-smtpd (unpatched)
- never relays (RELAYCLIENT never set)
- might get changed to magic-smtpd
- might add a spam/virus checking patch
/service/qmail-relay
- qmail-smtpd with tls-smtp-auth.patch
- relaying disabled unless authenticated
- would prefer it dropped non-tls connections
- its run on port 25 on an aliased IP address
/service/qmail-send
- stock qmail-start
/service/binc-imapl
- non-tls bincIMAP running on the loopback address
- primarily used for squirrelmail
- using stock squirrelmail
- using stock (openBSD) apache
- squirrelmail only accessible through https
- http connections get redirected to https
/service/binc-imaps
- stock bincIMAP with TLS
We do not support pop3.
We found it necessary to distinguish between qmail-receive and qmail-relay
when one of our consultants started working at a site that had an open
relay that was black listed (and hence connections were refused by
rmblsmtpd). I am becoming more and more convinced that this separation is
very good because it gives me more options for filtering out unwanted
inbound (received) mail without having to worry about the impact on
outgoing (relayed) mail. This is analogous to the separation of dnscache
from tinydns.
My server also has several domain names: all names that require a
separate (aliased) IP address. See
http://www.modssl.org/docs/2.8/ssl_faq.html#vhosts for the technical
details.
Regards,
Henry
Casey Allen Shobe said:
> Sorry the SMTP half of this mail is off-topic, but since a lot of you use
> qmail, and since this information may be valuable to many of you, I
> thought I'd ask here before finding a more appropriate list to subscribe
> to. If I end up finding the answer elsewhere, I'll post the results here
> for your information...
>
> I currently have qmail+bincimap set up such that:
> * POP3: I have qmail-pop3d + stunnel listening on the pop3s port.
> * IMAP: I have bincimap running in both SSL and non-SSL mode, with non-SSL
> logins disabled.
> * SMTP: I have qmail-smtpd listening on the smtp port, and stunnel on the
> smtps port. I use the smtp-auth patch so that users can use the smtp
> server from outside of the LAN (even within the LAN, one needs to auth to
> send to a non-internal address).
>
> POP3 is exactly how I want it - no non-SSL service at all.
>
> I would like to disable bincimap from running on the imap port at all,
> only accessible via imaps. Is this possible without using iptables (which
> I'd rather avoid unless absolutely necessary - it seems like the wrong
> solution to the problem)?
>
> I have to keep an smtp service running, since remote mailservers only
> deliver to smtp (AFAIK). However I want SMTP auth to be used ONLY on
> smtps - not permitted on smtp. Again, I could solve this the "wrong" way
> by having two qmail-smtpd binaries, one without the smtp-auth patch for
> smtp, and the patched version for smtps. Does anyone know a better way of
> doing this (i.e. with a single binary to maintain)?
>
> Desired end result:
> IMAPS server running on the IMAPS port (done).
> Nothing listening on the IMAP port.
> POP3S server running on the POP3S port (done).
> Nothing listening on the POP3 port (done).
> SMTPS server running on the SMTPS port w/smtp-auth (done).
> SMTP server running on the SMTP port for local delivery only - no auth.
>
> Any advice is appreciated. Once I get it figured out, I'll make a public
> document on using qmail and bincimap in this manner to setup a complete,
> 100% secure mail server solution, without allowing the possibility of
> transmitting a password in cleartext over the wire/airwaves.
>
> If I'm ambitious enough, I might also cover setting up apache as an HTTPS
> server, using redirection to HTTPS when the user loads the site via HTTP,
> and configuration of Squirrelmail+plugins for bincimap (some small patches
> are needed in a couple places, but hopefully the appropriate authors will
> implement these fixes soon) to deliver a secure IMAP-based webmail
> solution as well.
>
> On another note, my server has several domain names, however the secure
> services (i.e. IMAPS) will cause a certificate warning due to domain
> mismatch if you try to connect to it by one of the alternate domains. Is
> there a way to make a single certificate cover multiple domains, or is
> there another solution to this?
>
> Thanks in advance,
>
> --
> Casey Allen Shobe
> Open Source Software Solutions
> [EMAIL PROTECTED]
>
