subject:"\[qmailtoaster\] Re\: Forcing TLS on port 587"

Re: [qmailtoaster] Re: Forcing TLS on port 587

2011-02-04 Thread Jeremy Utley

On Thu, Feb 3, 2011 at 1:54 PM, Eric Shubert  wrote:
> I'd be very careful with this one, CJ.
> You need to keep 25 open for incoming (inter-domain) mail. ;)
>
> If QMT doesn't have the patch for the FORCE_TLS option, it'd be nice if it
> did. This is something I'd also like to see on the submission instance of
> qmail-smtp.
>
> Can you round up that patch? If you can give it a try, that'd be great. If
> not, please post here where to get it so someone (hopefully other than Jake)
> can give it a shot to see if it clashes with any other patches we're using.

I did some additional searching around, and unfortunately, I couldn't
find anyplace that had *JUST* this patch.  It's part of the version 6
and above of John Simpson's qmail mega-patch, as documented at:
http://qmail.jms1.net/patches/combined-details.shtml near the bottom
of the page.

*A self-written patch to add a real FORCE_TLS capability, for those
who want a non-SSL server but don't want it to be able to accept mail
without STARTTLS happening first. Creating an envrionment variable
called FORCE_TLS with a numeric value greater than zero enables this
behaviour.

I'm not all that much of a C coder, but I might be able to try next
week to possibly port this patch into the qmail-toaster SRPM.  I
scanned the big patch, and it honestly looks like there's only about 5
lines of changes involved with the FORCE_TLS coding.  It would take me
a lot of work however, and it might be quite easy for one of you who
has better coding capability to pick out what's involved to implement
this option.

If I do get a chance to play with it and make it work, I'll certainly
contribute the patch back to the project!

Thanks!

Jeremy

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
  If you need professional help with your setup, contact them today!
-
 Please visit qmailtoaster.com for the latest news, updates, and packages.

  To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Forcing TLS on port 587

2011-02-04 Thread Tonix (Antonio Nati)

I did not read carefully about SSL configuration of Jeremy's company, so
I supposed TLS as anti-spam additional feature against public usage of
MX servers, and did not consider simply the security side about passwords.

Anyway, the force auth feature of chkuser is still valid.

Regards,

Tonino

Il 04/02/2011 17:38, Eric Shubert ha scritto:
I think the idea here is to keep clients from inadvertently using a
configuration that would result in their password being sent in the
clear. This is in order to enforce, as opposed to simply allowing, a
good security policy.

Dovecot has such a configuration option:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer),
the
# connection is considered secure and plaintext authentication is
allowed.

#disable_plaintext_auth = no
disable_plaintext_auth = yes

--
-Eric 'shubes'

On 02/04/2011 02:10 AM, Tonix (Antonio Nati) wrote:

Why do you want to force TLS? You achieve same results, enabling both
TLS and normal smtp, just accepting e-mails from authenticated users

It is enough you force authentication, using chkuser 2.0.9 and
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE parameter
*(http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#MustAuth).

With insertion of "export CHKUSER_MUSTAUTH="" on running script, you
enable acceptance of e-mails only from authenticated users.

Anyway, if you want absolutely and only TLS, you can have it using
stunnel, which starts a TLS session and then runs normal SMTP (see
http://www.ekkaia.org/software/mail/qmailssl.php for examples).
It can be run over each single service (pop, imap, etc).

Regards,

Tonino

Il 03/02/2011 20:20, Jeremy Utley ha scritto:

Hello everyone!

We're using a toaster installation for our primary mail server at my
company, and over the last few weeks we've been working on configuring
everyone's mail clients to use SSL for sending& receiving e-mail.
Now that we have everyone converted over to use of SSL, we'd like to
stop all non-SSL access. For imap and pop3, it was quite simple, I
simply disabled the imap4 and pop3 run scripts in
/var/qmail/supervise. However, for SMTP, I haven't had much luck yet.
We'd like to force the submission port 587 to require TLS and
SMTP-Auth before a message is sent out., while leaving SMTP port 25
un-modified. I had read on another qmail site that you could do this
by use of a FORCE_TLS=1 variable in the run script, but that did not
work, so I suspect that this patch is not in the toaster packages (and
running strings against /var/qmail/bin/qmail-smtpd seems to bear that
out). Is there any way with the toaster to enforce TLS usage, and
reject any mail that's not TLS. We'd like to stick with TLS so we
don't have to reconfigure everyone's mail clients for SMTPS, which is
deprecated at any rate.

Thanks for any help you all can give!

Jeremy

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and
installations.
If you need professional help with your setup, contact them
today!

Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and
installations.

If you need professional help with your setup, contact them today!
-

Please visit qmailtoaster.com for the latest news, updates, and
packages.
To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com

Inter@zioniInterazioni di Antonio Nati
http://www.interazioni.it to...@interazioni.it

-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Forcing TLS on port 587

2011-02-04 Thread Eric Shubert

I think the idea here is to keep clients from inadvertently using a
configuration that would result in their password being sent in the
clear. This is in order to enforce, as opposed to simply allowing, a
good security policy.

Dovecot has such a configuration option:
# Disable LOGIN command and all other plaintext authentications unless
# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
# matches the local IP (ie. you're connecting from the same computer), the
# connection is considered secure and plaintext authentication is allowed.
#disable_plaintext_auth = no
disable_plaintext_auth = yes

--
-Eric 'shubes'

On 02/04/2011 02:10 AM, Tonix (Antonio Nati) wrote:

Why do you want to force TLS? You achieve same results, enabling both
TLS and normal smtp, just accepting e-mails from authenticated users

It is enough you force authentication, using chkuser 2.0.9 and
*CHKUSER_EXTRA_MUSTAUTH_VARIABLE parameter
*(http://www.interazioni.it/opensource/chkuser/documentation/chkuser_settings.html#MustAuth).

With insertion of "export CHKUSER_MUSTAUTH="" on running script, you
enable acceptance of e-mails only from authenticated users.

Regards,

Tonino

Il 03/02/2011 20:20, Jeremy Utley ha scritto:

Hello everyone!

Thanks for any help you all can give!

Jeremy

To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

[qmailtoaster] Re: Forcing TLS on port 587

2011-02-03 Thread Eric Shubert

Some older clients (Outlook'03 comes to mind) don't do TLS, so I think 
there should be an option. That being said, I think it'd be good if the 
'stock' QMT has the option enabled (require TLS).

--
-Eric 'shubes'

On 02/03/2011 01:12 PM, Jean-Paul van de Plasse wrote:

I did not include the FORCE_TLS patch when doing the submission patches.
Can not remember anymore why, it is to long ago..

Quick google returns a simple solution, that always requires tls for
authentication
Maybe it is nicer to have this optional with the FORCE_TLS, but that
should not be too difficult either.

void  smtp_auth(arg)
char*arg;
{
+   if  (!ssl)
+   {
+   out("538 auth not available without TLS (#5.3.3)\r\n");
+   return;
+   }
int i;
char*cmd=  arg;


http://notes.sagredo.eu/node/84


JP

On Feb 3, 2011, at 20:54 , Eric Shubert wrote:


I'd be very careful with this one, CJ.
You need to keep 25 open for incoming (inter-domain) mail. ;)

If QMT doesn't have the patch for the FORCE_TLS option, it'd be nice
if it did. This is something I'd also like to see on the submission
instance of qmail-smtp.

Can you round up that patch? If you can give it a try, that'd be
great. If not, please post here where to get it so someone (hopefully
other than Jake) can give it a shot to see if it clashes with any
other patches we're using.

--
-Eric 'shubes'

On 02/03/2011 12:42 PM, Cecil Yother, Jr. wrote:

You could block port 25 in your iptables

On 02/03/2011 11:20 AM, Jeremy Utley wrote:

Hello everyone!

We're using a toaster installation for our primary mail server at my
company, and over the last few weeks we've been working on configuring
everyone's mail clients to use SSL for sending& receiving e-mail.
Now that we have everyone converted over to use of SSL, we'd like to
stop all non-SSL access. For imap and pop3, it was quite simple, I
simply disabled the imap4 and pop3 run scripts in
/var/qmail/supervise. However, for SMTP, I haven't had much luck yet.
We'd like to force the submission port 587 to require TLS and
SMTP-Auth before a message is sent out., while leaving SMTP port 25
un-modified. I had read on another qmail site that you could do this
by use of a FORCE_TLS=1 variable in the run script, but that did not
work, so I suspect that this patch is not in the toaster packages (and
running strings against /var/qmail/bin/qmail-smtpd seems to bear that
out). Is there any way with the toaster to enforce TLS usage, and
reject any mail that's not TLS. We'd like to stick with TLS so we
don't have to reconfigure everyone's mail clients for SMTPS, which is
deprecated at any rate.

Thanks for any help you all can give!

Jeremy

-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com )
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com  for the
latest news, updates, and packages.

To unsubscribe, e-mail:
qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com










-
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com )
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com  for the latest
news, updates, and packages.
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com









-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Forcing TLS on port 587

2011-02-03 Thread Jean-Paul van de Plasse

I did not include the FORCE_TLS patch when doing the submission patches.
Can not remember anymore why, it is to long ago..

Quick google returns a simple solution, that always requires tls for 
authentication
Maybe it is nicer to have this optional with the FORCE_TLS, but that should not 
be too difficult either.

void smtp_auth(arg)
char *arg;
{
+  if (!ssl)
+  {
+  out("538 auth not available without TLS (#5.3.3)\r\n");
+  return;
+  }
int i;
char *cmd = arg;

http://notes.sagredo.eu/node/84


JP

On Feb 3, 2011, at 20:54 , Eric Shubert wrote:

> I'd be very careful with this one, CJ.
> You need to keep 25 open for incoming (inter-domain) mail. ;)
> 
> If QMT doesn't have the patch for the FORCE_TLS option, it'd be nice if it 
> did. This is something I'd also like to see on the submission instance of 
> qmail-smtp.
> 
> Can you round up that patch? If you can give it a try, that'd be great. If 
> not, please post here where to get it so someone (hopefully other than Jake) 
> can give it a shot to see if it clashes with any other patches we're using.
> 
> -- 
> -Eric 'shubes'
> 
> On 02/03/2011 12:42 PM, Cecil Yother, Jr. wrote:
>> You could block port 25 in your iptables
>> 
>> On 02/03/2011 11:20 AM, Jeremy Utley wrote:
>>> Hello everyone!
>>> 
>>> We're using a toaster installation for our primary mail server at my
>>> company, and over the last few weeks we've been working on configuring
>>> everyone's mail clients to use SSL for sending&  receiving e-mail.
>>> Now that we have everyone converted over to use of SSL, we'd like to
>>> stop all non-SSL access.  For imap and pop3, it was quite simple, I
>>> simply disabled the imap4 and pop3 run scripts in
>>> /var/qmail/supervise.  However, for SMTP, I haven't had much luck yet.
>>>  We'd like to force the submission port 587 to require TLS and
>>> SMTP-Auth before a message is sent out., while leaving SMTP port 25
>>> un-modified.  I had read on another qmail site that you could do this
>>> by use of a FORCE_TLS=1 variable in the run script, but that did not
>>> work, so I suspect that this patch is not in the toaster packages (and
>>> running strings against /var/qmail/bin/qmail-smtpd seems to bear that
>>> out).  Is there any way with the toaster to enforce TLS usage, and
>>> reject any mail that's not TLS.  We'd like to stick with TLS so we
>>> don't have to reconfigure everyone's mail clients for SMTPS, which is
>>> deprecated at any rate.
>>> 
>>> Thanks for any help you all can give!
>>> 
>>> Jeremy
>>> 
>>> -
>>> Qmailtoaster is sponsored by Vickers Consulting Group 
>>> (www.vickersconsulting.com)
>>> Vickers Consulting Group offers Qmailtoaster support and installations.
>>>   If you need professional help with your setup, contact them today!
>>> -
>>>  Please visit qmailtoaster.com for the latest news, updates, and 
>>> packages.
>>> 
>>>   To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>>>  For additional commands, e-mail: 
>>> qmailtoaster-list-h...@qmailtoaster.com
>>> 
>>> 
>>> 
>> 
> 
> 
> 
> -
> Qmailtoaster is sponsored by Vickers Consulting Group 
> (www.vickersconsulting.com)
>   Vickers Consulting Group offers Qmailtoaster support and installations.
> If you need professional help with your setup, contact them today!
> -
>Please visit qmailtoaster.com for the latest news, updates, and packages.
> To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
>For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
> 
>

[qmailtoaster] Re: Forcing TLS on port 587

2011-02-03 Thread Eric Shubert


I'd be very careful with this one, CJ.
You need to keep 25 open for incoming (inter-domain) mail. ;)

If QMT doesn't have the patch for the FORCE_TLS option, it'd be nice if 
it did. This is something I'd also like to see on the submission 
instance of qmail-smtp.


Can you round up that patch? If you can give it a try, that'd be great. 
If not, please post here where to get it so someone (hopefully other 
than Jake) can give it a shot to see if it clashes with any other 
patches we're using.


--
-Eric 'shubes'

On 02/03/2011 12:42 PM, Cecil Yother, Jr. wrote:

You could block port 25 in your iptables

On 02/03/2011 11:20 AM, Jeremy Utley wrote:

Hello everyone!

We're using a toaster installation for our primary mail server at my
company, and over the last few weeks we've been working on configuring
everyone's mail clients to use SSL for sending&  receiving e-mail.
Now that we have everyone converted over to use of SSL, we'd like to
stop all non-SSL access.  For imap and pop3, it was quite simple, I
simply disabled the imap4 and pop3 run scripts in
/var/qmail/supervise.  However, for SMTP, I haven't had much luck yet.
  We'd like to force the submission port 587 to require TLS and
SMTP-Auth before a message is sent out., while leaving SMTP port 25
un-modified.  I had read on another qmail site that you could do this
by use of a FORCE_TLS=1 variable in the run script, but that did not
work, so I suspect that this patch is not in the toaster packages (and
running strings against /var/qmail/bin/qmail-smtpd seems to bear that
out).  Is there any way with the toaster to enforce TLS usage, and
reject any mail that's not TLS.  We'd like to stick with TLS so we
don't have to reconfigure everyone's mail clients for SMTPS, which is
deprecated at any rate.

Thanks for any help you all can give!

Jeremy

-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
 Vickers Consulting Group offers Qmailtoaster support and installations.
   If you need professional help with your setup, contact them today!
-
  Please visit qmailtoaster.com for the latest news, updates, and packages.

   To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
  For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com









-
Qmailtoaster is sponsored by Vickers Consulting Group 
(www.vickersconsulting.com)
   Vickers Consulting Group offers Qmailtoaster support and installations.
 If you need professional help with your setup, contact them today!
-
Please visit qmailtoaster.com for the latest news, updates, and packages.

 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com

For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: Forcing TLS on port 587

Re: [qmailtoaster] Re: Forcing TLS on port 587

[qmailtoaster] Re: Forcing TLS on port 587

[qmailtoaster] Re: Forcing TLS on port 587

Re: [qmailtoaster] Re: Forcing TLS on port 587

[qmailtoaster] Re: Forcing TLS on port 587

6 matches

Site Navigation

Mail list logo

Footer information