smtp authorization

[condorman]

Sorry. i can send email from my dedidicated host with directadmin and exim whichever mail.
Instead i want that the user can send an email only with smtp authorization, with user and password that i write in directadmin controll pannel for pop account. So how can i close my open smtp server and make an authorization smtp for my client?
Thank you very much!!

 

[nobaloney]

Unless you've made changes to your exim.conf file, the server is NOT an open relay. It uses POP before SMTP authentication to allow anyone who's already POPped email to be able to send email without password authentication.

You can disable that; search these forums for details.

Jeff

 

[condorman]

thank you for the suggest. I see the oder thread but i can't find the solution. Now see that on the port 587 the user must insert username e password for send email! can i disable the standard port 25? or make the configuration of the port 587 on the port 25?.
I read other post now.
Thank you for the help.

 

[nobaloney]

If you block port 25 your server won't be able to receive email from the world.

That's part of the email spec so all email servers can work together to exchange email.

I read a very interesting article, yesterday, an interview with Eric Allman, who invented Sendmail, and pretty much singlehandedly IP#-based email. He said if he could do it over he'd do it differently.

But it's really (and unfortunately) too late now.

Jeff

 

[condorman]

uhm thank you very much. I have the ip block on hotmail, yahoo, gmail, etc etc, i think for the open relay becouse the user of my 10 site send max 5 o 6 mail at day, my reject log have 2-3 reject email at minutes. There is a optimizate exim.conf configuratio? so i look the best setting for protect to the open relay and blocking ip befor a change the public ip of my dedicated host.

 

[nobaloney]

Blocking mail from hotmail, yahoo, gmail, etc., is never a good idea; it keeps a lot of people from emailing you. And those servers are responsible only for a very small amount of the spam on the 'net. Though lots of people use addresses from those domains, they're almost always forged addresses, and the mail almost never comes from those servers.

Just use the exim.conf that comes with DirectAdmin, and turn on SpamBlocker by adding the domains (in the same format you see them in the /etc/virtual/domains file) to /etc/virtual/use_rbl_domains.

Jeff

 

[Spark]

I want to add that pop before smtp is not good with todays internet I personally recommend turning it off.

Reason:
1) Customers computer is infected with a spam zombie
2) Customer connects to pop
3) Pop before smtp opens access from clients computer for 15 minutes
4) zombie begins relaying email through the open relay

Now if the customer has their mail client set to check mail every 15 minutes well you have a constant open relay from the customers infected computer.

 

[nobaloney]

Interesting point. Now all we have to do is re-educate millions of webhosting clients all over the world.



Jeff

 

[Spark]

Funny, its been turned off in my setup for 2 years now, I direct clients of how to setup their email in my welcome message and the KB.

Ports 465 which you dont enable in spamblocker god knows why?


Configure mail client:

pop = port 995
smtp = port 465
smtp server = mail.mydomain.com
pop server = mail.mydomain.com

Turn SSL on and check my outgoing server requires authentication.




worked like a charm... have had not one support ticket regarding it and best yet they are actually using SSL so no plain passwords.

 

[nobaloney]

I know why, and I'm not God (or a god).

Because I don't know anything about it. Please tell me where to find it in the RFCs, and if you know, how to properly implement it for its proper purpose in exim.conf, and I'll be happy to include it.

Alternatively, perhaps you want to write your own exim.conf file and present it to the community to use instead of the one I've written.

That's what open source is all about.

Jeff

 

[Spark]

lol sorry Jeff was not meaning to insult just trying to add on to your post.


RFC has not been clear about a port for TLS/SSL it has for years been 465 but remours have it that RFC is trying to push to all authentication communications over 587 well the problem I see with that is unless 587 can be set to allow both TLS/SSL and regular connections then there could be a problem with mail clients not capable of authenticating over TLS/SSL

We added SSL/TLS with the following but have not yet checked into making one port do both:

tls_on_connect_ports = 465
daemon_smtp_ports = 25 : 465 : 587


also this must be added near the 587 code

# to restrict port 465 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{465} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *

 

[floyd]

It was my understanding that most spam zombies set up their own SMTP servers within the infected machine and start sending out mail directly to other mail servers. Unless the host's server hosts a domain that the zombie is trying to mail to the hosts server would not be affected. That is why many isp's started blocking port 25 to other servers but their own. I know that in the last 10 years we have not had one customer who had a spam zombie that affected us in any way.

 

[Spark]

Actually, there are many articles that can be read and reports from places like Spamhaus of how the spammers are fighting back against port 25 being blocked and RBL lists by using ISP mail servers... well this is accomplished by sending mail out along with popb4smtp or highjacking your outlook password.

 

[nobaloney]

The reason Port 25 is blocked by ISPs is specifically so that all outgoing email will go through their mailservers. That way they can identify whose machine is hijacked, and take direction action to block all outgoing email from that subscriber until the problem is fixed.

Reputable ISPs should welcome this; it helps them track and block sources of spam originating from their network.

Jeff

 

[Spark]

also to promote the movement of authentication over port 587, I beleive that TLS should also be a requirement of 587 but at this point and time it is up to the end user especially since not all webmail clients yet support TLS

port 25 should be used for delivery purposes only according to many documents I have read, this will help slow down spam.