Forcing smtp auth

Richard G

Verified User
Joined
Jul 6, 2008
Messages
12,569
Location
Maastricht
I can only find an article from 2009 so I would like to ask, since now I also got spamblocker and pigeonhole etc. running.

It seems pop-b4smtp is something which get's more and more advised to be disabled and use smtp auth instead. However it's still enabled by default on Directadmin installations.

So now I have the following questions:
1.) Is smtp auth indeed safer then pop-b4smtp or doesn't it make much difference?
2.) How do I disable pop-b4smtp on my server and force smtp auth
3.) Is there anything on the client side which needs to be changed to make use of smtp auth, like in Outlook or Thunderbird and if yes, what needs to be changed?
4.) Does the change on the server (force smtp auth) has any influence on spamblocker or pigeonhole settings or does anything needs to be changed there?
 
1. Yes because it forces the user to send an auth header before antthing goes out. Pop-b4smtp just whitelists your ip for a time, which could open spam from other people on the same ip.
2. http://help.directadmin.com/item.php?id=467
3. Yes most of the time you have to set a setting like "my smtp server requires authentication". This would be their email login and password.
4. I doubt it cause usually localhost email is whitelisted.
 
Thank you Scsi.

1.) Hmmz... it's not that easy to use the same ip, you must be a good spoofer and know that the specific ip used is open in the whitelist for that time. So smtp-auth is more secure, but it's hard to abuse.
2.) Oh that's easier then I thought.
3.) Isn't that also the case for pop-b4smtp? Like you have to use the same setting and then click "use the same setup as for my incoming mail" or something like that. Or do you mean something else?
4.) OK.

So I'm only still wondering about 3.
If it should be like this picture (click), then it's the same as with pop-b4smtp and customers don't have to change their settings, correct?
 
Yeah that box should be checked so it sends the auth headers to the mail server.
 
Oke so in fact the users don't need to change their settings then.

Thank you scsi!
 
Last edited:
One more addition, if you don't use SMTP auth your connections and emails might be rejected by exim. Check /etc/exim.conf for

Code:
authenticated = *

and

Code:
!authenticated = *

For example bad HELO might be a reason of why your server does not accept emails for delivery from your users. To bypass it we usually advise to use SMTP auth and 587 port.
 
I'm making use spamblocker 4.3.0 alpha 3 at the moment and got a lot of those authenticated = * pieces in there.
I also got one with !authenticated = *.

At this moment I still use Dovecot and pop-b4smtp.

I don't understand correctly what you mean which needs to be changed zEItEr. And when. :)
 
I don't say to change anything in exim.conf.

Your users might have issues while sending emails through exim from their PC if they don't use Auth SMTP with errors:

Bad HELO - Host impersonating hostname
HELO is an IP address (See RFC2821 4.1.3)
HELO should be a FQDN or address literal (See RFC 2821 4.1.1.1)
etc...



I've posted two lines so that you could see exim.conf and find ACLs where exim allow authenticated users to bypass filtering. A relayed user is not equivalent of authenticated user.


If your users do not get mentioned errors when sending emails from OutLook, Windows Mail, TheBat, etc... then you can ignore my post and keep using pop-b4smtp.
 
Ah oke now I understand better, thank you for the clarification. No they don't get those kind of errors.

However, we did have had some issues with MAC users which used the older MacMail (or how is dat mac email program called), which got into the firewall due to authentication errors. This issue did not occur on OS X with the newer mail program for Mac.
This is also caused because at leased the old system tried several authentication possibility's at the same time, which is something firewall's don't like.

We did not af any bad helo stuff as far as I know, at least not from our customers, only from spammers and that's a good thing.
 
Back
Top