Re: [qmailtoaster] Forcing authentication (submission) for all users
If I had my druthers, a stock QMT would come with SpamDyke pre-installed... not so much so that I could block a great deal of SPAM, but because the SpamDyke control of the qmail-smtp is so easy. So, here is how *I* do it: 1) Port 25 (SMTP) is for receiving mail INTO my server ONLY (that is, inbound mail TO my users): - There are is NO AUTH on this port... PERIOD! - There is no relaying on this port either (unless I have an smtproutes entry) - While I do allow TLS, I do not require it. Here is my EHLO reply on port 25: 250-mail.myserver.com - Welcome 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 67108864 250 X-NOTHING I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/smtp/run*_ to show a DIFFERENT config file: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/smtp.conf" Then, in the _*smtp.conf*_ file, I create an entry: smtp-auth-level=none 2) Port 587 (SUBMISSION) is for outbound mail ONLY (that is, outbound mail FROM my users): - AUTH is required on this port - On some servers, I REQUIRE TLS, but on most it is allowed but not required. Here is my EHLO reply on port 587: 250-mail.myserver.com - Welcome 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 67108864 250 AUTH LOGIN PLAIN CRAM-MD5 I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/submission/run*_ to show a DIFFERENT config file: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/submission.conf" Then, in the _*submission*__*.conf*_ file, I create an entry: smtp-auth-level=always NOTE: To REQURE TLS, use always-encrypted instead of just always 3) On systems that have valid SSL certificates, I have a port 465 (SMTP-SSL) port open as well - AUTH is required on this port - I REQUIRE TLS or SSL I cannot show you the EHLO reply, as I don't have a tool to do the TLS decryption for me :) Still, I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/smtp-ssl/run*_ to show a DIFFERENT config file: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/smtp-ssl.conf" Then, in the _*smtp-ssl*__*.conf*_ file, I create an entry: smtp-auth-level=always-encrypted So the point is that you can configure SpamDyke to behave totally differently on all 3 SMTP ports (25, 587, & if you want, 465) simply by setting the config file to be unique in the supervise/run script for each port. I hope this helps others... Dan McAllister On 12/15/2014 3:33 PM, Peter Peltonen wrote: Hi, I would like to force all users using my toaster to send mail to authenticate. I've now managed to get Squirrelmail and Horde do that. But I would like to know how to do this also with other (web)servers that use the toaster as a smarthost? The other servers are running Postfix. Another thing I remember that has been discussed in this list, but what I couldn't find by searching the archives, was that if all users authenticate, then one could blacklist all local domains in Spamdyke? Is that advice still valid (and why should one do it, I'm curious)? Another thing I'm thinking is about local user accounts on the toaster server. How are those handled if localhost is not allowed to relay mail? Do they inject the mail to qmail directly without using smtp? Regards, Peter - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Forcing authentication (submission) for all users
HI, On Thu, Dec 18, 2014 at 4:55 PM, Dan McAllister wrote: > If I had my druthers, a stock QMT would come with SpamDyke pre-installed... > not so much so that I could block a great deal of SPAM, but because the > SpamDyke control of the qmail-smtp is so easy. Thanks for your input Dan, that sounds like a good way to setup sending messages. You don't have any idea about the two other issues I asked about, blacklisting local domains and local mail delivery (see my msg below)? Best, Peter > > > > On 12/15/2014 3:33 PM, Peter Peltonen wrote: > > Hi, > > I would like to force all users using my toaster to send mail to > authenticate. I've now managed to get Squirrelmail and Horde do that. > But I would like to know how to do this also with other (web)servers > that use the toaster as a smarthost? The other servers are running > Postfix. > > Another thing I remember that has been discussed in this list, but > what I couldn't find by searching the archives, was that if all users > authenticate, then one could blacklist all local domains in Spamdyke? > Is that advice still valid (and why should one do it, I'm curious)? > > Another thing I'm thinking is about local user accounts on the toaster > server. How are those handled if localhost is not allowed to relay > mail? Do they inject the mail to qmail directly without using smtp? > > Regards, > Peter > > - > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > > > -- > IT4SOHO, LLC > 33 - 4th Street N, Suite 211 > St. Petersburg, FL 33701-3806 > > CALL TOLL FREE: > 877-IT4SOHO > > 877-484-7646 Phone > 727-647-7646 Local > 727-490-4394 Fax > > We have support plans for QMail! > - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Forcing authentication (submission) for all users
OOPS -- I should have pointed out that I use QMail flags to control this behavior too... I have made corrected notations below... If I had my druthers, a stock QMT would come with SpamDyke pre-installed... not so much so that I could block a great deal of SPAM, but because the SpamDyke control of the qmail-smtp is so easy. So, here is how *I* do it: 1) Port 25 (SMTP) is for receiving mail INTO my server ONLY (that is, inbound mail TO my users): - There are is NO AUTH on this port... PERIOD! - There is no relaying on this port either (unless I have an smtproutes entry) - While I do allow TLS, I do not require it. Here is my EHLO reply on port 25: 250-mail.myserver.com - Welcome 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 67108864 250 X-NOTHING I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/smtp/run*_ to show a DIFFERENT config file. The other special settings are shown too: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/smtp.conf" export SMTPAUTH=0 export REQURE_AUTH=0 export SMTPS=0 Then, in the _*spamdyke/*__*smtp.conf*_ file, I create an entry: smtp-auth-level=none 2) Port 587 (SUBMISSION) is for outbound mail ONLY (that is, outbound mail FROM my users): - AUTH is required on this port - On some servers, I REQUIRE TLS, but on most it is allowed but not required. Here is my EHLO reply on port 587: 250-mail.myserver.com - Welcome 250-STARTTLS 250-PIPELINING 250-8BITMIME 250-SIZE 67108864 250 AUTH LOGIN PLAIN CRAM-MD5 I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/submission/run*_ to show a DIFFERENT config file. The other special settings are shown too: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/submission.conf" export SMTPAUTH=1 export REQUIRE_AUTH=1 export SMTPS=0 (or =1 if you want to force SSL/TLS) Then, in the _*spamdyke/submission*__*.conf*_ file, I make sure the smtp-auth-level is NOT SET: #smtp-auth-level=none NOTE: This tells spamdyke to allow qmail to authenticate 3) On systems that have valid SSL certificates, I have a port 465 (SMTP-SSL) port open as well - AUTH is required on this port - I REQUIRE TLS or SSL I cannot show you the EHLO reply, as I don't have a tool to do the TLS decryption for me :) Still, I accomplish this by setting the *SPAMDYKEFLAGS *entry in the file _*/var/qmail/control/smtp-ssl/run*_ to show a DIFFERENT config file: SPAMDYKE="/usr/local/bin/spamdyke" SPAMDYKEFLAGS="-f /etc/spamdyke/smtp-ssl.conf" export SMTPAUTH=1 export REQUIRE_AUTH=1 export SMTPS=1 Then, in the _*spamdyke/smtp-ssl*__*.conf*_ file, I make sure the smtp-auth-level is NOT SET: #smtp-auth-level=none NOTE: This tells spamdyke to allow qmail to authenticate So the point is that you can configure SpamDyke to behave totally differently on all 3 SMTP ports (25, 587, & if you want, 465) simply by setting the config file to be unique in the supervise/run script for each port, and changing some of the environment variables in the supervise/run script. I hope this helps others... Dan McAllister -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail!
Re: [qmailtoaster] Forcing authentication (submission) for all users
On 12/18/2014 10:08 AM, Peter Peltonen wrote: On 12/15/2014 3:33 PM, Peter Peltonen wrote: Hi, I would like to force all users using my toaster to send mail to authenticate. I've now managed to get Squirrelmail and Horde do that. But I would like to know how to do this also with other (web)servers that use the toaster as a smarthost? The other servers are running Postfix. The solution I posted above will not only force users to authenticate, but also force them to use either submission or smtp-ssl to send messages. The point to that is you can put all your most sophisticated spam-filtering on the port 25 interface, and worry less about the other 2. Another thing I remember that has been discussed in this list, but what I couldn't find by searching the archives, was that if all users authenticate, then one could blacklist all local domains in Spamdyke? Is that advice still valid (and why should one do it, I'm curious)? I do not know of any good reason to blacklist local domains -- in fact, not only do I not know what this would accomplish, I think it would break inter-domain messages. If someone else can recall the reason or desired affect of this, I'm all ears! :) Another thing I'm thinking is about local user accounts on the toaster server. How are those handled if localhost is not allowed to relay mail? Do they inject the mail to qmail directly without using smtp? Localhost should be allowed to relay mail -- that's how your typical web interface works (the open relay is set to 127.0.0.1 in the tcp.smtp setting). Personally, I don't even allow local admins to have shell accounts, unless they are experienced Linux user/admins. The dangers are just too many. Thus, the only place most of my users have an "account" is in vpopmail (and that is a mailbox "account"). Sorry I can't be of more help... the one "hole" I still am not comfortable with is that, once authenticated, a user can send as anyone. I wish there was a per-user setting that would allow me to override that, but I also wish my mailserver could read my mind and block all the messages I don't want to see... I don't think I'll get that anytime soon, either! :) Dan -- IT4SOHO, LLC 33 - 4th Street N, Suite 211 St. Petersburg, FL 33701-3806 CALL TOLL FREE: 877-IT4SOHO 877-484-7646 Phone 727-647-7646 Local 727-490-4394 Fax We have support plans for QMail! - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
Re: [qmailtoaster] Forcing authentication (submission) for all users
Hi. You list Your domains (local as well as 'foreign' domains which You do NOT want to receive mail from) in the blacklist_senders file - (emails from outside with Your domains as senders is fake). Domains uses 'SEND' to transfer mail internally. I think this may be the answer to Your question - I hope ;-) Cheers, Finn Den 18-12-2014 kl. 17:48 skrev Dan McAllister: On 12/18/2014 10:08 AM, Peter Peltonen wrote: On 12/15/2014 3:33 PM, Peter Peltonen wrote: Hi, I would like to force all users using my toaster to send mail to authenticate. I've now managed to get Squirrelmail and Horde do that. But I would like to know how to do this also with other (web)servers that use the toaster as a smarthost? The other servers are running Postfix. The solution I posted above will not only force users to authenticate, but also force them to use either submission or smtp-ssl to send messages. The point to that is you can put all your most sophisticated spam-filtering on the port 25 interface, and worry less about the other 2. Another thing I remember that has been discussed in this list, but what I couldn't find by searching the archives, was that if all users authenticate, then one could blacklist all local domains in Spamdyke? Is that advice still valid (and why should one do it, I'm curious)? I do not know of any good reason to blacklist local domains -- in fact, not only do I not know what this would accomplish, I think it would break inter-domain messages. If someone else can recall the reason or desired affect of this, I'm all ears! :) Another thing I'm thinking is about local user accounts on the toaster server. How are those handled if localhost is not allowed to relay mail? Do they inject the mail to qmail directly without using smtp? Localhost should be allowed to relay mail -- that's how your typical web interface works (the open relay is set to 127.0.0.1 in the tcp.smtp setting). Personally, I don't even allow local admins to have shell accounts, unless they are experienced Linux user/admins. The dangers are just too many. Thus, the only place most of my users have an "account" is in vpopmail (and that is a mailbox "account"). Sorry I can't be of more help... the one "hole" I still am not comfortable with is that, once authenticated, a user can send as anyone. I wish there was a per-user setting that would allow me to override that, but I also wish my mailserver could read my mind and block all the messages I don't want to see... I don't think I'll get that anytime soon, either! :) Dan - To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
