Re: Using stmp auth for local account with PHP scripts
Am Sun, 01 Apr 2018 17:28:29 +0200 schrieb Markus Rosjat : > Hi there, > > There are simple ways of relaying local mails(connection on lo0 on > port 25) to a other mailserver. This is oky for logs and stuff but > what's about mails created by a php on the local webserver? His do I > get smtpd to still do a auth with username and pwd on lo0? Is it > possible or do I need to configure the "external" addr too for this > purpose? Hello Markus, I am not sure if I understand your question... But to relay emails on an internal webserver you have to set the following 2 lines in /etc/mail/smtpd.conf: table passwd file:/etc/mail/secrets accept from any \ for any \ relay via tls+auth://foo@mailserver auth and in /etc/mail/secrets: foo username:passwword Thats all. Simple.
Re: Using stmp auth for local account with PHP scripts
Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I hope I correctly understood your question and I'm clear enough. Regards. Le 04/03/18 à 18:21, Michael Hekeler a écrit : Am Sun, 01 Apr 2018 17:28:29 +0200 schrieb Markus Rosjat : Hi there, There are simple ways of relaying local mails(connection on lo0 on port 25) to a other mailserver. This is oky for logs and stuff but what's about mails created by a php on the local webserver? His do I get smtpd to still do a auth with username and pwd on lo0? Is it possible or do I need to configure the "external" addr too for this purpose? Hello Markus, I am not sure if I understand your question... But to relay emails on an internal webserver you have to set the following 2 lines in /etc/mail/smtpd.conf: table passwd file:/etc/mail/secrets accept from any \ for any \ relay via tls+auth://foo@mailserver auth and in /etc/mail/secrets: foo username:passwword Thats all. Simple.
Re: Using stmp auth for local account with PHP scripts
Hi, I will answer in the text below :) Am 04.04.2018 um 13:52 schrieb Christophe Simon: Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. no we don't want to use binary in chroot, that somehow feels just wrong :) If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). since it will be WP (i know ...) it has PHPMailer and it should be able to send with SMTP Protocol. It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I have set up the local smtpd to relay mails from local connections so it's only listen on lo0 but hey PHPMailer will connect on lo0 and can be abused still if the WP arround it allows it. I basically force the user to use something like recaptcha but even then I would like to do something with authentication thought. for me I short example would be helpful for now I basically let a script run once an hour to check if the maillog shows somewhat strange traffic to the relay. is enabling auth on lo0 simply this ? pki hostname /path/to/cert pki hostname /path/to/key table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 port submission tls auth accept for any relay via tls+auth://relaycred@relayhost:587 auth And then I can just setup the PHPMailer to use submission port on localhost with some credentials? Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
Re: Using stmp auth for local account with PHP scripts
Yes, that should do the trick. The only problem that you could face is the certificate validation in PHPMailer: if you connect to `locahost` using a TLS connection, unless your certificate presents `localhost` as a CN (or a SAN), there's chances that the client refuses to establish the connection (I don't remember if certificate validation is enabled by default in PHPMailer). If you don't want to bypass certificate validation, one possible way to overcome this issue is to set an entry in your chroot's `/etc/hosts` pointing your certificate's CN to `127.0.0.1`, or include `localhost` in your certificate SANs. And if your certificate is self signed, you'll have to manually accept it. Regards. Le 04/04/18 à 14:15, Markus Rosjat a écrit : Hi, I will answer in the text below :) Am 04.04.2018 um 13:52 schrieb Christophe Simon: Hello, I'd say that all depends on the function/library you're using in your PHP application to send mails. The `mail()` command, for instance, uses the `sendmail` binary to directly ingest your message in your local mail spool, and thus does not require any authentication. The mail is sent on behalf of the identity your web server runs under. There's options to set the appropriate sender in the message headers, obviously. no we don't want to use binary in chroot, that somehow feels just wrong :) If you're using a library such as `PHPMailer`, you'll want to use the SMTP protocol, either locally (on lo0) (1), or remotely (on your mail provider's SMTP service) (2). since it will be WP (i know ...) it has PHPMailer and it should be able to send with SMTP Protocol. It's up to you to define if you want authentication on the loopback port (but that's better to do so). If you're using your local MTA to send emails (1), either using the SMTP protocol on lo0 or the `sendmail` binary, there's chances you'll want to use a relay host to avoid being blacklisted by your recipients servers (or you should take care to have a resolvable public IP with correct SPF configured in your DNS). Such a configuration has been very well illustrated by Michael below. I have set up the local smtpd to relay mails from local connections so it's only listen on lo0 but hey PHPMailer will connect on lo0 and can be abused still if the WP arround it allows it. I basically force the user to use something like recaptcha but even then I would like to do something with authentication thought. for me I short example would be helpful for now I basically let a script run once an hour to check if the maillog shows somewhat strange traffic to the relay. is enabling auth on lo0 simply this ? pki hostname /path/to/cert pki hostname /path/to/key table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 port submission tls auth accept for any relay via tls+auth://relaycred@relayhost:587 auth And then I can just setup the PHPMailer to use submission port on localhost with some credentials? Regards
Re: Using stmp auth for local account with PHP scripts
Hi again, Am 04.04.2018 um 15:34 schrieb Christophe Simon: Yes, that should do the trick. The only problem that you could face is the certificate validation in PHPMailer: if you connect to `locahost` using a TLS connection, unless your certificate presents `localhost` as a CN (or a SAN), there's chances that the client refuses to establish the connection (I don't remember if certificate validation is enabled by default in PHPMailer). If you don't want to bypass certificate validation, one possible way to overcome this issue is to set an entry in your chroot's `/etc/hosts` pointing your certificate's CN to `127.0.0.1`, or include `localhost` in your certificate SANs. And if your certificate is self signed, you'll have to manually accept it. I will give it a try , thank you for the advice Regards -- Markus Rosjatfon: +49 351 8107223mail: ros...@ghweb.de G+H Webservice GbR Gorzolla, Herrmann Königsbrücker Str. 70, 01099 Dresden http://www.ghweb.de fon: +49 351 8107220 fax: +49 351 8107227 Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT
