subject:"\[vchkpw\] relay, smtp after pop"

On Friday 24 March 2006 07:59, Andrew Simon wrote:
 I am running qmail/courier-map/vpopmail 5.4.2 system. It is working well.
 However occassionally users get the

 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

 Its not all the time. They are outside the office when this happens. I am
 using smtp after pop. All the settings are correct as far as I know. Any
 input would be helpful.

this is a common issue with pop-before-smtp authentication.  Their MUA is 
probably trying to send an email before they have authenticated with pop3.  
Outlook is notorious for doing this.

Fortunately, I think outlook might have a flag where it will always check for 
new messages before sending, but I don't use outlook so you're on your own 
there.

If it doesn't, just tell your users to make sure if they see it happen to hit 
send/receive and try again.  Or switch to an smtp auth based solution if it's 
that big of a problem.

-Jeremy

-- 
Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.


pgpaE3Xnv1txT.pgp
Description: PGP signature

Re: [vchkpw] relay, smtp after pop

On Friday 24 March 2006 09:52, Jeremy Kitchen wrote:
 If it doesn't, just tell your users to make sure if they see it happen to
 hit send/receive and try again.  Or switch to an smtp auth based solution
 if it's that big of a problem.

wow, I can't believe I didn't mention this before:
a third option is to have them stop using that pile of doo known as outlook.

now to find my coffe...

-Jeremy

-- 
Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.


pgprOuULZTeKz.pgp
Description: PGP signature

Re: [vchkpw] relay, smtp after pop

SMTP Authentication seems to be the norm these days, and I'd encourage  it. Now if only M$ would make it the default or easier than going  into advanced settings when adding an account (and also the port 587  option).-M  Jeremy Kitchen [EMAIL PROTECTED] wrote:  On Friday 24 March 2006 09:52, Jeremy Kitchen wrote: If it doesn't, just tell your users to make sure if they see it happen to hit send/receive and try again.  Or switch to an smtp auth based solution if it's that big of a problem.wow, I can't believe I didn't mention this before:a third option is to have them stop using that pile of doo known as outlook.now to find my coffe...-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was
 Content-type: text/plain  -- The Word of Bob.

Re: [vchkpw] relay, smtp after pop

On Friday 24 March 2006 10:31, Michael Krieger wrote:
 SMTP Authentication seems to be the norm these days, and I'd encourage  it.
  Now if only M$ would make it the default or easier than going  into
 advanced settings when adding an account (and also the port 587  option).

why use port 587?  the 'use secure connection' is right there, and if you're 
doing any passing of authentication tokens across the wire, you should be 
encrypting it.

that's just my two cents.

-Jeremy

-- 
Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.


pgphaWqdqwAgB.pgp
Description: PGP signature

Re: [vchkpw] relay, smtp after pop

Keeping in mind most SMTP uses CRAM-MD5 or some equivalent these days  with some portion of challenge/response from the server for  authentication details... this of course happens automatically.Some e-mail clients will go kicking and screaming on self-signed  certificates, particularly in a virtualhosting environment where the  common name needs to be a wildcard (*) for users to access the mail  server under their own domains.I love the paranoia around sniffing that many parties with an invested  interest have encouraged. In the end, your data transmits with  some encryption on passwords from your PC, through a private network of  your ISP who has tens if not hundreds of thousands of clients, then  onto MCI/Verizon and other key players in core bandwidth into some  datacenter. Nobody of which has any care what your e-mail looks  like. Don't get me wrong, I'm all for encryption, but on services  like e-mail it seems a bit excessive in favour
 of a challenge/response  authentication.  Besides- these days odds are your PC will be infected and e-mail read  on there rather than over the wire where it passes by your ISP  aggregated with tons of other traffic at a few hundred Mbit/s.  Just my 2c. Both are solutions to the problem, but 587 is more to  avoid port 25 blocking by many ISPs as well as to run a SMTP service  without ident/hostname lookups to ensure a speedier connection for mail  senders, while keeping this on the ports that other mail servers send  to.-MJeremy Kitchen [EMAIL PROTECTED] wrote:  On Friday 24 March 2006 10:31, Michael Krieger wrote: SMTP Authentication seems to be the norm these days, and I'd encourage  it.  Now if only M$ would make it the default or easier than going  into advanced settings when
 adding an account (and also the port 587  option).why use port 587?  the 'use secure connection' is right there, and if you're doing any passing of authentication tokens across the wire, you should be encrypting it.that's just my two cents.-Jeremy-- Jeremy Kitchen ++ [EMAIL PROTECTED]In the beginning was The Word and The Word was Content-type: text/plain  -- The Word of Bob.

Re: [vchkpw] relay, smtp after pop


At 10:48 AM 3/24/2006, Michael Krieger wrote:

Keeping in mind most SMTP uses CRAM-MD5 or some equivalent these 
days with some portion of challenge/response from the server for 
authentication details... this of course happens automatically.


do you have a source for the claim of 'most'?  just curious.



Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
http://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop

I know that it was broken on one of our mail servers a few years ago  (where it advertised it but then didn't authenticate properly) and we  got 10% of users properly authenticating and 90% of them not  (these are if I recall correctly and are of course rough numbers.  The general observation I find is that most mail clients use as much of  the protocol as they know.So no claim/fact that's enough to go by, but pop RECORDIO on your pop  or smtp server, and tail -F (capital to follow the file name itself)  the current file and see how many of your authentications are mangled,  be it by challenge-response or that are short and plain text.  There may be more recognizable sections to look at.-MPaul Theodoropoulos [EMAIL PROTECTED] wrote:  At 10:48 AM 3/24/2006, Michael Krieger wrote:Keeping
 in mind most SMTP uses CRAM-MD5 or some equivalent these days with some portion of challenge/response from the server for authentication details... this of course happens automatically.do you have a source for the claim of 'most'?  just curious.Paul Theodoropouloshttp://www.anastrophe.comhttp://www.smileglobal.comhttp://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop


At 11:04 AM 3/24/2006, you wrote:

I know that it was broken on one of our mail servers a few years ago 
(where it advertised it but then didn't authenticate properly) and 
we got 10% of users properly authenticating and 90% of them not 
(these are if I recall correctly and are of course rough 
numbers.  The general observation I find is that most mail clients 
use as much of the protocol as they know.


So no claim/fact that's enough to go by, but pop RECORDIO on your 
pop or smtp server, and tail -F (capital to follow the file name 
itself) the current file and see how many of your authentications 
are mangled, be it by challenge-response or that are short and plain 
text.  There may be more recognizable sections to look at.


i don't use smtp auth, so i wouldn't know. i thought you were 
claiming that most providers these days are doing smtp auth. we still 
do pop before smtp - it works, it's reliable, it's simple, it's low 
overhead. if someone believes their email is important enough that 
someone would want to sniff the line to get it, then they should be 
using PGP or some other means of making the actual content secure.


in my opinion, of course.


Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
http://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop

2006-03-24 Thread David Chaplin-Loebell


Jeremy Kitchen wrote:


On Friday 24 March 2006 10:31, Michael Krieger wrote:
 


SMTP Authentication seems to be the norm these days, and I'd encourage  it.
Now if only M$ would make it the default or easier than going  into
advanced settings when adding an account (and also the port 587  option).
   



why use port 587?  the 'use secure connection' is right there, and if you're 
doing any passing of authentication tokens across the wire, you should be 
encrypting it.
 

I have my clients use port 587 whenever possible, because I use RBLs on 
port 25 that block some dynamic address ranges.


Is there a better practice for this?

David

Re: [vchkpw] relay, smtp after pop

i don't use smtp auth, so i wouldn't know. i thought you were claiming that most providers these days are doing smtp auth. I was stating that most mail CLIENTS (Outlook, Thunderbird, etc) tend to prefer any mangled authentication method in favour of sending a password in clear text, based on my observations. Even better, many (especially newer ones) tend to use challenge/response algorithms for SMTP-Auth for example, which ensure one-time use, and prevent creating an open relay if the connection is viewed.Now, I'd also argue (unrelated to my previous e-mail) that more and more ISPs are turning to SMTP Authentication and blocking port 25. This number is growing, but based on the customers who contact us, there seems to be more regions with this upcoming issue. Mainly this is to
prevent worms from sending mail on their own (port 25 blocking).The SMTP Authentication is more popular because mail no longer comes from an IP, but instead comes from an e-mail address. With pop before smtp, you know that 123.123.123.123 has a virus or is relaying Spam through your server, or is producing a lot of bounces, who's settings can be easily obtained and used via MAPI. With smtp authentication, you see in the headers that the user is [EMAIL PROTECTED]@123.123.123.123 and that's on mail that goes out, Spam reports that comes back, etc. It associates the connection with a username in addition to an IP, which is really what matters. it's reliableExcept when it's done in the wrong order, which some mail clients do... or if a users' IP changes. , it's simple, it's low overheadYou sure about that? Every successful POP/IMAP authentication will do a CDB lookup for the IP address, and if not found will add it to the open-smtp file, expire old entries, and then rebuild the CDB file. CDB is fast to read, but building it, while not very slow, isn't super-quick. Each future POP authentication will update the expire time of the open-smtp entry and rebuild the CDB file again. So for every pop authentication you have a CDB rebuild, versus a CDB read. [note to see the benefit of not updating it, you'd need to phase it out and then disable the feature or it'll happen anyway]. . if someone believes their email is important enough that someone would want to sniff the line to get it, then they should be
using PGP or some other means of making the actual content secure.It's deceptive and lying to the user really to use SSL and think it's secure. While your [not you, but the gp] mail server may have the TLS patch and SSL ports, others may not. So you encrypt your super-secret message thinking it's going from your computer to the end encrypted... but it's not. It's encrypted to your mail relay. Then it's decrypted and put onto disk in CLEAR TEXT. At which point it's then sent to another mail server... which could be encrypted or not. In the end, the plain text insecure file sits on a final mail server, and then is picked up by the user, likely unencrypted and stored unencrypted on a workstation that's probably not secure.In any case, the point is that no matter how you look at it, SSL from the client to mail relay or client to POP server is one part of the process, and creates a false sense of
security. in my opinion, of course.Naturally... Of course most of what I say is my opinion on the matter. I'm sure there are many schools of thought, but we've transitioned mostly from POP-before-smtp. It's difficult, and has been YEARS in the works to detect and transition users (similarly difficult was moving from ip aliased domains to using [EMAIL PROTECTED] authentication). The end result is that it's easier to track down and follow mail when it needs to happen.-M

Re: [vchkpw] relay, smtp after pop

I have my clients use port 587 whenever possible, because I use RBLs on port 25 that block some dynamic address ranges.Is there a better practice for this?I'd also recommend turning of hostname lookups and identd lookups in tcpserver's command line.You may want to look at the REQUIREAUTH patch (I had to modify it  slightly to make it work with newer smtpauth versions) as well, making  sure that only smtp authentication can be used on port 587. While  spammers don't submit mail to 587 to date, who knows when that may  start. Plus, it lets me ensure that nobody is using the  pop-before-smtp on port 587. When we have them on the phone and  are changing settings, might as well check 'enable authentication'Some discussion is here about using SSL instead ('requires a secure  connection'), but that's up to
 you. Some versions of outlook  confuse users with 'use secure password authentication SPA' which works  with exchange servers... Every time I told soemone to turn on SSL, SPA  was turned on and it didn't authenticate properly.-M

Re: [vchkpw] relay, smtp after pop

To correct myself...  Each future POP authentication will update the  expire time of the open-smtp entry and rebuild the CDB file  again.I don't believe it actually rebuilds the CDB file here, but it does  update the open-smtp file with the new timestamp for the expiry.  In any case, any change to the IP list and it updates the CDB file.  So for every pop authentication you have a CDB rebuild,  versus a CDB read.  And adjust list line per above.CDB is great for mail, because it needs to be updated only when an  account is added or password is changed. It's made for reading,  and a lot of reading, as well as updating without causing issues.  Fast lookups. As that database gets big and
 filled with IPs,  rebuilding it can begin to slow down.-M

Re: [vchkpw] relay, smtp after pop

On Friday 24 March 2006 11:36, David Chaplin-Loebell wrote:
 Jeremy Kitchen wrote:
 On Friday 24 March 2006 10:31, Michael Krieger wrote:
 SMTP Authentication seems to be the norm these days, and I'd encourage 
  it. Now if only M$ would make it the default or easier than going  into
  advanced settings when adding an account (and also the port 587 
  option).
 
 why use port 587?  the 'use secure connection' is right there, and if
  you're doing any passing of authentication tokens across the wire, you
  should be encrypting it.

 I have my clients use port 587 whenever possible, because I use RBLs on
 port 25 that block some dynamic address ranges.

 Is there a better practice for this?

that's pretty standard practice.

I'm in favor of using an SSL protected port for authentication, but 587 is 
acceptable.

-Jeremy

-- 
Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.


pgpQntxngruYd.pgp
Description: PGP signature

Re: [vchkpw] relay, smtp after pop



At 11:47 AM 3/24/2006, Michael Krieger wrote:
To correct myself...


Each future POP authentication will update the expire time of the
open-smtp entry and rebuild the CDB file again.

I don't believe it actually rebuilds the CDB file here, but it does
update the open-smtp file with the new timestamp for the expiry. In
any case, any change to the IP list and it updates the CDB file.


So for every pop authentication you have a CDB rebuild, versus a CDB
read.

unless you're doing it in mysql. which works dandy.

Paul Theodoropoulos

http://www.anastrophe.com

http://www.smileglobal.com

http://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop

unless you're doing it in mysql. which works dandy.You sure about that?the MySQL open relay database would speed up the cleanup of old entries  and the updates making that pretty quick, but ultimately it needs to  make that a cdb file that sets relayclient for tcpserver to execute  qmail-smtpd doesn't it? Still building a CDB file regularly.  -M

Re: [vchkpw] relay, smtp after pop



At 01:05 PM 3/24/2006, you wrote:


unless you're doing it in mysql. which works dandy.

You sure about that?
the MySQL open relay database would speed up the cleanup of old entries
and the updates making that pretty quick, but ultimately it needs to make
that a cdb file that sets relayclient for tcpserver to execute
qmail-smtpd doesn't it? Still building a CDB file regularly.

no, no cdb rebuilding at all. this is with the patches to do so of
course. my vpopmail tcp.smtp.cdb file hasn't been touched in just over
three years.
of course, i have lots more mysql transactions going on all the time, but
have had no performance problems associated with it.


Paul Theodoropoulos

http://www.anastrophe.com

http://www.smileglobal.com

http://www.forumgarden.com

Re: [vchkpw] relay, smtp after pop

  no, no cdb rebuilding at all. this is with the patches to do so of  course. my vpopmail tcp.smtp.cdb file hasn't been touched in just over  three years.  Good to know- thanks for the correction.of course, i have lots more mysql transactions going on all the time, but  have had no performance problems associated with it.  I suppose so, but benchmarks are all specific to any setup as well.  Didn't know there were patches to do this (to qmail-smtpd or to  tcpserver)? I guess the big question is why add that dependency? Why  have all that database activity and connection requirement when you  could just pass a password along... But then you can see from previous  messages that I promote the
 smtp-auth these days-M

Re: [vchkpw] relay, smtp after pop

On Friday 24 March 2006 12:39, Paul Theodoropoulos wrote:
 At 11:47 AM 3/24/2006, Michael Krieger wrote:
 To correct myself...
 Each future POP authentication will update the expire time of the
 open-smtp entry and rebuild the CDB file again.
 
 I don't believe it actually rebuilds the CDB file here, but it does
 update the open-smtp file with the new timestamp for the expiry.  In
 any case, any change to the IP list and it updates the CDB file.
 So for every pop authentication you have a CDB rebuild, versus a CDB read.

 unless you're doing it in mysql. which works dandy.

or with Bruce Guenter's relay-ctrl package, which doesn't involve any 
overly-specific hacks to tcpserver.

http://untroubled.org/relay-ctrl

-Jeremy

-- 
Jeremy Kitchen ++ [EMAIL PROTECTED]

In the beginning was The Word and The Word was Content-type: text/plain
  -- The Word of Bob.


pgptWta6C0Srm.pgp
Description: PGP signature

Re: [vchkpw] relay, smtp after pop