Hi, How can courier be setup to allow "valid esmtpd reception (with and without SSL/TLS)" while also allowing "encrypted (SSL/TLS) ONLY authorized relaying" (from any ip address)?
Here are the use cases for the above. 1) Allow reception of plain text email as long as the receiver of the email is on the receiving computer. This keeps valid plain text flowing. This is very important. 2) Allow reception of email using SSL/TLS as long as the receiver of the email is on the receiving computer. This allows email servers to begin encrypting their email when sending to unknown email servers and reduces potential of snooping. This does not require passwords. (Note: for the most privacy users should encrypt their own email). I'm not sure how important or useful this use case is. 3a) Allow reception of email to be relayed IF the connection is encrypted with SSL/TLS AND the user login authorizes. This is very important for remote users and mobile users to be able to send email so that they don't have to change their "inbound and outbound email" settings everytime their ip address changes. It also enables them to set their "inbound" and "outbound" connections to the same domain name, i.e. "mail.mydomainname.com". It also provides the remote and mobile users to have their email SENT using encryption. 3b) Optionally allow reception of email to be relayed IF the connection is authorized but not encrypted. Some may want to offer this use case, but it's not as safe as use case 3a. (This can currently be set up, see note C below). 4) Block (and optionally log) all plain text relay attempts. Very important. The logging helps determine persistent relay attempts which may need to be be blocked or diagnosed. 5) Block (and optionally log) all encrypted relay attempts that do not authorize. Very important. The logging helps with tracking users who have misconfigured their settings. Use cases 1, 2, 3a, 4 and 5 are how I'm attempting to configure courier. Is this possible with the current courier system? If so, how do you set up courier to do this? If not, what needs to happen to enable courier to be setup this way? I suggest that this is a usefull default setting for many systems, that should at least be documented so that first time users can change the config files in a few minutes and be up and running quickly. All the best, Peter Notes: A) One solution that has been proposed is to run another courieresmtpd daemon on port 465. However there is confusion over wether or not this port is still in use. It seems that port 25 is used for both plain text and encrypted (SSL/TLS) esmtp sessions. If this is the case then mustn't a single courieresmptd daemon can only run on the port that handles both plain text and encrypted sessions? Does the current courieresmtpd daemon allow for the desired configuration discussed above? B) In esmtpd, ESMPT_TLS_REQUIRED=1 will turn on SSL/TLS for EVERY connection. This is too restrictive by requiring all connections be encrypted. This blocks the normal flow of unencrypted yet valid email. It does solve the "authorized encrypted relaying" problem though. C) For simple unencrypted and authenticated esmtp the following settings allow "valid esmtpd" reception and "authorized relaying", however they don't do so with encryption for the whole session. In esmtpd, set AUTHMODULES="authdaemon", ESMTPAUTH="LOGIN CRAM-MD5" and ESMTPD=YES. ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
