winger
Verified User
Hi,
How can i set exim to ask user authentication in outgoing messages?
How can i set exim to ask user authentication in outgoing messages?
Server outgoing authentication
- Thread starter winger
- Start date
nobaloney
NoBaloney Internet Svcs - In Memoriam †
There are two sources for outgoing email.
The first source is mail that originates from the server. For example, mail created by a cron job, or by a form-to-email script.
I don't know of any way to require authorization for these emails; presumably anyone who can access the server through an account (even http access the server through an account) can send email through the server.
The second source is email that originates elsewhere but is relayed off the server, for example when you set your desktop system to use a domain on your server for outgoing email.
That second source is already blocked from unauthenticated users; users authenticate either by popb4smtp or by SMTP AUTH.
Jeff
The first source is mail that originates from the server. For example, mail created by a cron job, or by a form-to-email script.
I don't know of any way to require authorization for these emails; presumably anyone who can access the server through an account (even http access the server through an account) can send email through the server.
The second source is email that originates elsewhere but is relayed off the server, for example when you set your desktop system to use a domain on your server for outgoing email.
That second source is already blocked from unauthenticated users; users authenticate either by popb4smtp or by SMTP AUTH.
Jeff
sitestreet
Verified User
- Joined
- Jan 19, 2005
- Messages
- 40
I seem to be able to send emails from my local PC using the server's SMTP server without sending login information. You said it's blocked by default but it's not looking that way on mine.
Where should I check the settings?
Many thanks
Jon
Where should I check the settings?
Many thanks
Jon
nobaloney
NoBaloney Internet Svcs - In Memoriam †
Are you receiving emails from the server?
If so, then that's how you're authenticating.
Jeff
If so, then that's how you're authenticating.
Jeff
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
As you can tell I don't get around the threads as much as I should but an answer to this gent is better late than never. What he is wanting is to use the outgoing server requires authentication.
In /etc/exim.conf
Replace:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
With:
hostlist relay_hosts = 127.0.0.1
That should disallow the popb4smtp and require full authentication with the server.
I don't blame you... I don't like popb4smtp either. Makes me nervous especially with all of the big spam friendly ISPs around like SBC, Cox, Comcast all running DHCP. One minute your customer has the IP and the next minute some spammer does and you get black listed for it.
Big Wil
In /etc/exim.conf
Replace:
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
With:
hostlist relay_hosts = 127.0.0.1
That should disallow the popb4smtp and require full authentication with the server.
I don't blame you... I don't like popb4smtp either. Makes me nervous especially with all of the big spam friendly ISPs around like SBC, Cox, Comcast all running DHCP. One minute your customer has the IP and the next minute some spammer does and you get black listed for it.
Big Wil
sitestreet
Verified User
- Joined
- Jan 19, 2005
- Messages
- 40
Hi BigWil
Fantastic! You're absolutely right, better late than never. It worked a treat. Most hosts require SMTP authentication so I don't think I'm over cautious and completely agree with you about spammers.
I've tried sending without authenticating and it rejects it. Put in a mailbox username/password combination and it works perfectly.
Thank you once again. It's very much appreciated.
All the best
Jon.
Fantastic! You're absolutely right, better late than never. It worked a treat. Most hosts require SMTP authentication so I don't think I'm over cautious and completely agree with you about spammers.
I've tried sending without authenticating and it rejects it. Put in a mailbox username/password combination and it works perfectly.
Thank you once again. It's very much appreciated.
All the best
Jon.
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Sounds like we may think a bit alike so here comes another treat. Avoid the port 25 blocking implemented by alot of the big ISPs these days with this. It is on other threads but in case you missed it:
Find
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
Replace with
daemon_smtp_port = 25 : 26
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
Then you can fix those troublesome support calls when people can't send emails using port 25. Change it to 26 and you are good to go.
Of course that is an old trick. Now some ISPs are blocking the envelope if the From: or Reply-To: doesn't have their domain in it. They are doing this with a wide span of ports it seems. I think this means they are filtering every packet. But the jury is still out on that one. I need to get somebody on the inside to spill the beans.
Big Wil
Find
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
Replace with
daemon_smtp_port = 25 : 26
acl_smtp_rcpt = check_recipient
acl_smtp_data = check_message
Then you can fix those troublesome support calls when people can't send emails using port 25. Change it to 26 and you are good to go.
Of course that is an old trick. Now some ISPs are blocking the envelope if the From: or Reply-To: doesn't have their domain in it. They are doing this with a wide span of ports it seems. I think this means they are filtering every packet. But the jury is still out on that one. I need to get somebody on the inside to spill the beans.
Big Wil
sitestreet
Verified User
- Joined
- Jan 19, 2005
- Messages
- 40
Hi again Big Wil
Thanks for that. Will port 25 continue to work with this trick? I'm hoping it just adds port 26 so both work so I don't have to tell everyone to adjust their email settings.
If I'm right, I'll implement that too.
Thanks again, you're a star.
Just in case you know this one, is there any way at all that people can access the DA control panel just using port 80 as a lot of corporate firewalls are blocking access to port 2222. I'm sure this has been asked before by many but thought I'd run it by you. Maybe some kind of forwarding type thing where they go to a standard web page and the server forwards it to port 2222? Bad idea?
I've had a few customers complain that they can't get into the control panel as a result.
Many thanks again,
Jon
Thanks for that. Will port 25 continue to work with this trick? I'm hoping it just adds port 26 so both work so I don't have to tell everyone to adjust their email settings.
If I'm right, I'll implement that too.
Thanks again, you're a star.
Just in case you know this one, is there any way at all that people can access the DA control panel just using port 80 as a lot of corporate firewalls are blocking access to port 2222. I'm sure this has been asked before by many but thought I'd run it by you. Maybe some kind of forwarding type thing where they go to a standard web page and the server forwards it to port 2222? Bad idea?
I've had a few customers complain that they can't get into the control panel as a result.
Many thanks again,
Jon
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
Boy I am going to walk out of this one a star. Change port 2222 in the directadmin.conf file to port 8080. Alot of the gui firewalls around still have support for 8080 by default.
DA was built with the reseller in mind and has a broad span of possibilities and security as well. I am pretty sure that putting DA on port 80 will conflict with the customers websites, slow the processes from the conflicts if not worse, loosen security and all around be a bad idea. I would keep it off of 80 and for security sake keep it on a high port away from alot of port scanners.
You might want to try 8080 though. And most admins will open up 8080 if the corporate user asks them to nicely.
Big Wil
DA was built with the reseller in mind and has a broad span of possibilities and security as well. I am pretty sure that putting DA on port 80 will conflict with the customers websites, slow the processes from the conflicts if not worse, loosen security and all around be a bad idea. I would keep it off of 80 and for security sake keep it on a high port away from alot of port scanners.
You might want to try 8080 though. And most admins will open up 8080 if the corporate user asks them to nicely.
Big Wil
sitestreet
Verified User
- Joined
- Jan 19, 2005
- Messages
- 40
Woah, I think you will be a star. I'll give that a go. It does beg one question though.... can port 2222 be used too as everyone is using that at the moment!
Can I just check that your earlier solution of port 26 for SMTP would still use port 25 aswell?
Many, many thanks.
Jon
Can I just check that your earlier solution of port 26 for SMTP would still use port 25 aswell?
Many, many thanks.
Jon
BigWil
Verified User
- Joined
- Aug 5, 2004
- Messages
- 296
No I think Direct Admin only uses one port. Just the way it was built I suppose.
Forgot to answer your earlier question didn't I. Yes the 25 : 26 means in essence to open up ports 25 thru 26. So don't use anything higher or you will have a bunch of ports open.
A more straight forward answer, yes they can use either 25 or 26 to connect to.
Big Wil
Forgot to answer your earlier question didn't I. Yes the 25 : 26 means in essence to open up ports 25 thru 26. So don't use anything higher or you will have a bunch of ports open.
A more straight forward answer, yes they can use either 25 or 26 to connect to.
Big Wil
sitestreet
Verified User
- Joined
- Jan 19, 2005
- Messages
- 40
Thanks again. I figured it was probably a choice of port as the networking issues probably mean that duplicating is just not possible.
I'll give some thought about moving the port for DA. If the DA team are reading this, are there any issues I should be aware of before changing the port from 2222 to 8080?
Many thanks again for your extremely helpful posts.
All the best
Jon
I'll give some thought about moving the port for DA. If the DA team are reading this, are there any issues I should be aware of before changing the port from 2222 to 8080?
Many thanks again for your extremely helpful posts.
All the best
Jon
nobaloney
NoBaloney Internet Svcs - In Memoriam †
I'm posting to verify a few things and make a suggestion:
While I recommend 2222 as the official DA submission address, since it's the one documented by DA, you can certainly change to any unused port that's unblocked, but the key is it needs to be unblocked by all your users' ISPs. So as Big Wil writes, 8080 is a good alternative port, since you can only have one.
And I wanted to clarify, that, as Big Wil also wrote, you cannot set DirectAdmin to use port 80 because only one daemon can listen to a port at a time, and the httpd daemon (apache) needs to list on port 80.
I also suggest that if you're going to use an alternate port for email you should use the port set aside in the RFCs specifically for authenticated email submission, as all ISPs should allow it:
Port 587 is reserved for authenticted email message submission; any ISP that disallows it is in violation of the RFCs.
Jeff
While I recommend 2222 as the official DA submission address, since it's the one documented by DA, you can certainly change to any unused port that's unblocked, but the key is it needs to be unblocked by all your users' ISPs. So as Big Wil writes, 8080 is a good alternative port, since you can only have one.
And I wanted to clarify, that, as Big Wil also wrote, you cannot set DirectAdmin to use port 80 because only one daemon can listen to a port at a time, and the httpd daemon (apache) needs to list on port 80.
I also suggest that if you're going to use an alternate port for email you should use the port set aside in the RFCs specifically for authenticated email submission, as all ISPs should allow it:
Port 587 is reserved for authenticted email message submission; any ISP that disallows it is in violation of the RFCs.
Jeff
toml
Verified User
BigWil you should use
daemon_smtp_port: 25 : 587
this does not open all ports between 25 and 587, it is a list of ports not a range of ports. I use this on my servers and if it were to open all those ports, then my web server (port 80), imap (port 143), pop3 (port 110) and any other service between those ports would not work.
daemon_smtp_port: 25 : 587
this does not open all ports between 25 and 587, it is a list of ports not a range of ports. I use this on my servers and if it were to open all those ports, then my web server (port 80), imap (port 143), pop3 (port 110) and any other service between those ports would not work.
toml
Verified User
Actually Jeff (jlasman) was correct in that thread. He said it would only open those two ports.
toml
Verified User
If I had to guess I would say
Of course, you shouldn't need more than two ports. The standard one (25) and some other that is not commonly blocked.
Code:
daemon_smtp_port 24 : 25 : 26