Re: [courier-users] SMTP Auth via SSL/TLS required
Sam Varshavchik pisze: [UTF-8]Pawe T™cza writes: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. You can make it a mandatory setting only if it's a dedicated server, by setting ESMTP_TLS_REQUIRED. You can't do that if you share the same server for incoming mail, and smarthosted mail for your clients. Hi Sam, Thanks a lot for your reply! I have that server, but I'm affraid that ESMTP_TLS_REQUIRED setting is too restrictive for me, because I'm not quite sure that all clients support TLS. An option that may work for you is to remove the ESMTPAUTH setting, and put it into ESMTPAUTH_TLS. Courier will advertise no support for authentication in non-encrypted connections, and will advertise AUTH support only after STARTTLS. This setting only turns off the advertisement for AUTH support. I like that option, so I choose it :) Clients are not supposed to authenticate unless the server advertises this capability, however it's possible that buggy clients will blindly try to authenticate even if the server doesn't advertise AUTH support. But all clients, buggy and not, will not send message via my server if they try to use non-encrypted connections. Then they should see an error message like 513 Relaying denied.. Right? My best regards, Pawel -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
Marcus Ilgner pisze: On Tue, Dec 9, 2008 at 10:16 AM, Paweł Tęcza [EMAIL PROTECTED] wrote: Sam Varshavchik pisze: Clients are not supposed to authenticate unless the server advertises this capability, however it's possible that buggy clients will blindly try to authenticate even if the server doesn't advertise AUTH support. But all clients, buggy and not, will not send message via my server if they try to use non-encrypted connections. Then they should see an error message like 513 Relaying denied.. Right? Yes but if I understand correctly the problem in this case is that by then the password has already been sent over the network without issuing STARTTLS. Hello Marcus, You're right. It's security problem, but I can't see any good solution here. Probably I can only ask a user to change his password when he will raport us that he is not able to send message without TLS/SSL. My best regards, Pawel -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
On Tue, Dec 9, 2008 at 10:16 AM, Paweł Tęcza [EMAIL PROTECTED] wrote: Sam Varshavchik pisze: [UTF-8]Pawe T™cza writes: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. You can make it a mandatory setting only if it's a dedicated server, by setting ESMTP_TLS_REQUIRED. You can't do that if you share the same server for incoming mail, and smarthosted mail for your clients. Hi Sam, Thanks a lot for your reply! I have that server, but I'm affraid that ESMTP_TLS_REQUIRED setting is too restrictive for me, because I'm not quite sure that all clients support TLS. An option that may work for you is to remove the ESMTPAUTH setting, and put it into ESMTPAUTH_TLS. Courier will advertise no support for authentication in non-encrypted connections, and will advertise AUTH support only after STARTTLS. This setting only turns off the advertisement for AUTH support. I like that option, so I choose it :) Clients are not supposed to authenticate unless the server advertises this capability, however it's possible that buggy clients will blindly try to authenticate even if the server doesn't advertise AUTH support. But all clients, buggy and not, will not send message via my server if they try to use non-encrypted connections. Then they should see an error message like 513 Relaying denied.. Right? My best regards, Pawel Yes but if I understand correctly the problem in this case is that by then the password has already been sent over the network without issuing STARTTLS. Regards Marcus -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
[courier-users] SMTP Auth via SSL/TLS required
Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. My best regards, Pawel -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
Paweł Tęcza pisze: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. I've found the solution. It seems that I have full effect if I disable all ESMTP authentication mechanisms supported by Courier: sudo vim /etc/courier/esmtpd ESMTPAUTH= I hope it can be interesting tip for you. Cheers, P. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
Hallo. Am Montag, 8. Dezember 2008 schrieb Paweł Tęcza: We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. Yes, same policy here. :) We do not offer *any* login without secure connection. For SMTP, we have set: $ grep ^ESMTPAUTH /etc/courier/esmtpd ESMTPAUTH= ESMTPAUTH_TLS=PLAIN LOGIN So courier does not offer any authentication methods before switching to TLS mode. Gruß, Bernd -- Hängt die Grünen, solange es noch Bäume gibt! - Mehmet Scholl (dt. Fußballer) signature.asc Description: This is a digitally signed message part. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
Re: [courier-users] SMTP Auth via SSL/TLS required
[UTF-8]Pawe Tcza writes: Hello People, Is it possible to force authenticated SMTP relaying only via SSL/TLS? We need to protect the passwords of our users strongly, so they should use secure connection (via SSL) to ESMTP/POP3/IMAP servers. But how can we force the users to use STARTTLS for normal ESMTP server which listens on port 25? STARTTLS is only option here, so some users can bypass our security policy. You can make it a mandatory setting only if it's a dedicated server, by setting ESMTP_TLS_REQUIRED. You can't do that if you share the same server for incoming mail, and smarthosted mail for your clients. An option that may work for you is to remove the ESMTPAUTH setting, and put it into ESMTPAUTH_TLS. Courier will advertise no support for authentication in non-encrypted connections, and will advertise AUTH support only after STARTTLS. This setting only turns off the advertisement for AUTH support. Clients are not supposed to authenticate unless the server advertises this capability, however it's possible that buggy clients will blindly try to authenticate even if the server doesn't advertise AUTH support. pgpar3gFZPnyN.pgp Description: PGP signature -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users