[courier-users] SMTP Auth via SSL/TLS required
Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. My best regards, Pawel -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courieresmtp - More (different) errors!
Lindsay Haisley writes: On Sat, 2008-12-06 at 20:27 -0500, Sam Varshavchik wrote: If you can isolate this to Exchange only, set the following in courierd, which may fix this: TLS_CIPHER_LIST=SSLv3:TLSv1:!SSLv2:HIGH:!LOW:!MEDIUM:!EXP:!DES-CBC3-SHA:[EMAIL PROTECTED] Interesting. After putting this line in courierd, remote system sends back: 500 DEBUG: Unexpected SSL connection shutdown. Well, the remote system is closing the SSL connection, and Courier turns that event into this error message. The system is apparently running Exchange. It identifies itself with: 220 squid.humantech.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 Apparently I'm going to have to leave ESMTP_USE_STARTTLS off for the benefit of my customers who need to be able to communicate with their customers on Exchange servers more than they need the extra security of TLS over the Internet. Yes. Exchange's TLS implementation does seem to be buggy. You do have an option of individually disabling TLS for individual remote mail servers. There's a way to do that so you'll still talk to TLS to the non-buggy part of the world, but you'll have to manually maintain a list of broken mail servers, and you probably don't want to do that. pgp7IUY3Rk2xR.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
Paweł Tęcza pisze: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. I've found the solution. It seems that I have full effect if I disable all ESMTP authentication mechanisms supported by Courier: sudo vim /etc/courier/esmtpd ESMTPAUTH= I hope it can be interesting tip for you. Cheers, P. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
Hallo. Am Montag, 8. Dezember 2008 schrieb Paweł Tęcza: We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. Yes, same policy here. :) We do not offer *any* login without secure connection. For SMTP, we have set: $ grep ^ESMTPAUTH /etc/courier/esmtpd ESMTPAUTH= ESMTPAUTH_TLS=PLAIN LOGIN So courier does not offer any authentication methods before switching to TLS mode. Gruß, Bernd -- Hängt die Grünen, solange es noch Bäume gibt! - Mehmet Scholl (dt. Fußballer) signature.asc Description: This is a digitally signed message part. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
[UTF-8]Pawe Tcza writes: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. You can make it a mandatory setting only if it's a dedicated server, by setting ESMTP_TLS_REQUIRED. You can't do that if you share the same server for incoming mail, and smarthosted mail for your clients. An option that may work for you is to remove the ESMTPAUTH setting, and put it into ESMTPAUTH_TLS. Courier will advertise no support for authentication in non-encrypted connections, and will advertise AUTH support only after STARTTLS. This setting only turns off the advertisement for AUTH support. Clients are not supposed to authenticate unless the server advertises this capability, however it's possible that buggy clients will blindly try to authenticate even if the server doesn't advertise AUTH support. pgpar3gFZPnyN.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] mailfilter + sql?
We are in the process of moving a fair portion of our users' preferences over to MySQL. However, one thing that is not clear to me is this nagging question about putting .mailfilter files into SQL. Is that even possible? I'm kind of thinking on, because I tell maildrop to look for one file in particular, I wouldn't even know how you'd go about how you'd tell it to look at numerous rows for a particular user. But still, I'm curious. Can I move .mailfilters into a MySQL database? Thanks! ./brm -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] mailfilter + sql?
Brian Martinez writes: We are in the process of moving a fair portion of our users' preferences over to MySQL. However, one thing that is not clear to me is this nagging question about putting .mailfilter files into SQL. Is that even possible? Everything is possible, if you write the code to do it. As it is now, maildrop has no support for reading mail filters from anywhere other than a plain file. Furthermore, mail filter rules are not a two-dimensional set of records that one can just dump into a database. They are scripts, not data records. They can't exactly be mapped to some database schema. And there is no clear benefit from just putting the whole script as a single BLOB. Great! You've done that. Now what? Reading the blob now takes ten times slower than opening and reading the same file. You now have an extra point of failure, and your performance is in the doghouse. Sounds like a prime candidate for a feature article on http://www.thedailywtf.com, to me. pgpCaUgcviGjR.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courieresmtp - More (different) errors!
On Mon, 2008-12-08 at 11:35 -0500, Sam Varshavchik wrote: You do have an option of individually disabling TLS for individual remote mail servers. How is this done? -- Lindsay Haisley | In an open world,| PGP public key FMP Computer Services |who needs Windows | available at 512-259-1190 | or Gates| http://pubkeys.fmp.com http://www.fmp.com| | -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] courieresmtp - More (different) errors!
Lindsay Haisley writes: On Mon, 2008-12-08 at 11:35 -0500, Sam Varshavchik wrote: You do have an option of individually disabling TLS for individual remote mail servers. How is this done? In esmtproutes: example.com: /SECURITY=NONE pgp3nXCxsPSxb.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users