On 09/12/2013 05:16 AM, Dan McAllister wrote:
Suggested options (not sure how to do it -- hurt my back and not
thinking 100% this morning):
- Users are the only ones who should be using SMTP AUTH, and they should
NOT be using port 25 when they do it... so the SMTP daemon on port 25
should NOT ALLOW SMTP AUTH at all
I agree that submissions SHOULD NOT use port 25, and I'd like to have
all client submissions use port 587. I just don't think it's practical
to deny authentications on port 25 though. I think forcing clients to
use port 587 would create a lot of helpdesk issues, and to what benefit?
I think all it would accomplish would be to tick off some users, unless
you could somehow get them all converted to use port 587 ahead of
implementing the restriction.
In any case, I think QMT is going to need to allow for configuring port
25 to accept authentication (submissions). However, once spamdyke is
handling authentication (running on both ports 25 and 587), it should be
trivial to configure it to prohibit authentication on port 25.
I'll mention this to Sam, to see how this might work.
- Its up to you whether you support SUBMISSION connections on port 587
with or without SSL, but in my case I REQUIRE SSL on both ports 587 and
465 (several mail clients will specifically look for 465 with SSL before
even trying 587). Of course, this means that I either pay for a publicly
signed SSL certificate, or make my users import my self-signed certificate.
I agree entirely with this. The stock QMT will support SMTPS(465) in a
future release (although it's not exactly compliant with RFCs, many
clients and servers have implemented it). I hope to use spamdyke to
enforce encrypted authentication as well (deny plain text
authorization), the same as dovecot presently does. Of course on port
465, this wouldn't be necessary since the entire session is encrypted.
Once you're connecting on ports 587 or 465 over SSL, the AUTH method is
less important -- it's all encrypted in the SSL connection.
10-4.
Just my thoughts...
Thanks!
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
