[Wylug-help] Qmail installation
Nigel Metheringham
nigel.metheringham at dev.intechnology.co.uk
Fri Mar 10 16:25:51 GMT 2006
On Thu, 2006-03-09 at 17:39 +0000, lee at leeevans.org wrote:
> I've got SMTP AUTH up & running using vchkpw to validate against vpopmail
> user accounts, but as this is something I'm new to I want to make sure I'm
> following 'best practice' really. Is there anything in particular that you
> would recommend I implement in such a setup? For instance, can I support
> AUTH only on secure connections? This is now my primary mx server so
> obviously I need to support plain connections for receiving email.
I'd say it depends on the password checking schemes you support. I
would not allow PLAIN or LOGIN auth on a plaintext connection, however I
would allow CRAM MD5 or DIGEST MD5 since the password is not accessible.
However that has issues relating to how you store passwords on the
machine, and the username is still visible.
Personally I do enforce TLS for AUTH (or specifically I do not advertise
AUTH unless TLS is in effect).
Additionally as policy client connections do not go to port 25 - instead
they go to the MSA port (587) - which requires both TLS and AUTH. This
has the advantage of not being filtered by locations which (quite
sensibly) block outgoing SMTP from random machines - for example many
University campuses are set up like this.
Can't comment on qmail - never used it.
Nigel.
--
[ Nigel Metheringham Nigel.Metheringham at InTechnology.co.uk ]
[ - Comments in this message are my own and not ITO opinion/policy - ]
More information about the Wylug-help
mailing list