Mental on Fri, 13 Jul 2001 08:40:09 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Relaying, Bell Atlantic and list Reply-To header


On Fri, Jul 13, 2001 at 08:07:02AM -0400, Chuck Peters wrote:
> 
> At ccil.org we limit relaying to specified IP's.  The list includes CCIL's
> IP's as well as some other local ISP's.  But this doesn't help if a CCIL
> user is on some big ISP/IP's we don't list.  One solution used is SMTP
> Authenication but only some mail clients like Netscape and Outlook support
> it and that sucks. Does anyone have any suggestions for a better solution?
> 

Starttls _is_ the better solution. The fact that only netscape and
microsoft have implemented it is sad. Its an open standard, so
the fact it isnt more widespread is almost inexcusably lazy. This isnt a
proprietary protocol created to cause incompatibility, its just something
that people feel isnt worth doing for whatever reason, despite it being an
agreed upon standard.


Your alternative is an ugly roll your own hack like the old
pop-before-send hacks floating around out there that pretty much grep oyur
pop logs for ip's and add those ip's to your relay list. Obviously this
wont work if you dont use pop or relay thru another box. 


Sendmail supports TLS as of 8.11 I believe. It would be possible 
configure it (sendmail) to point to a smarthost and configure it to 
pass the proper credentials so it could relay. 

This would work in a small office/workgroup type setting. All outgoing
mail would use the same credentials (those of the mail server). This has
no effect on message content or visible headers. Essentially you'd be
configuring your mail hub to authenticate itself to the mail relay, which
in my opinion is better than just adding the ip to an access list. 


> I would very much prefer to use standard Debian packages on potato or
> woody with LDAP authenication.  Does anyone know what I need to install to
> setup smtp authenication?

Depends on the mail program. And if you use pam. If you use pam, it maes
it really easy to authenticate off of just about anything. The
authentication backend is a different issue from the above. 

I'm out of time. Maybe after work I'll try and dig up some of my notes.

A google search for "smtp starttls" should help. Its tricky to get setup
if you've never done anything with certificates but its doable.

As for ldap integration, the only time you'd need that is if you want ot
put aliases/virtusertable/whatever into ldap. Then you just need to tell
sendmail to link against your ldap libs... its in the 
sendmail-x.x/cf/README.


--
Mental (Mental@NeverLight.com)

"What has God revealed to man that has ever helped him get a living?"
[Lemuel K. Washburn, _Is The Bible
Worth Reading And Other Essays_, 1911]


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug