> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Doug Poland > Sent: Wednesday, March 12, 2008 11:20 AM > To: [EMAIL PROTECTED] > Subject: Best practice: sendmail and SMTP auth > > > Hello, > > Not sure if this is the most appropriate place for this question, but > since all my servers are FreeBSD 6.x/7.x, I'll give it a go... > > I am considering setting up SMTP auth on a number of sendmail > instances that I control. After much googling and reading, it is not > clear to me that a server with SMTP auth configured/enabled can relay > mail in both auth and non-auth modes. >
Some of the explanations posted have been Rube Goldberg in the extreme, greatly complicating what should have been a very simple response. A standard FreeBSD server determines relaying through use of the access.db file, as you probably already are aware. If you add in SMTP-auth then the ONLY change is that any client that authenticates in, is exempted from checking the access.db file - by default, they are allowed to relay. It is not necessary to turn on an encrypted channel for SMTP-auth. In fact, the most popular mail clients under Windows - Outlook, only support NTLM encryption on authentication which REQUIRES that the password be in cleartext on the mailserver. OR, you can use SSL encryption for Outlook - however it will require a (costly) commerically-rooted certificate on the server to do SSL or your mail clients won't encrypt without a lot of nasty mucking around on the user's side to install a self-signed root cert in their clients. As for 587, by default sendmail will allow auth on either port 25 or 587 and will allow non-encrypted auth on port 587. The fact of the matter is that the most secure way of running a production setup is to use a completely separate mailserver for AUTH-smtp and to use DIFFERENT userID's/passwords on that server than on the primary mailserver. That way spammers that discover the users e-mail address (which for most ISP's is the same as the userID account) cannot launch dictionary attacks against the SMTP-auth server. And, attackers that sniff a cleartext password on the SMTP-auth channel cannot use that userID to spam the mailserver. Ted _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"