CentOS - Jun 2011 - sendmail - smtp security/authentication & port 587 issues

Greetings,

I'm refining a CentOs configuration installation, now just over one month 
old running on a colocated production server. Previously, we ran a version 
of Fedora for over seven years.

Specifically, I'm reviewing our sendmail configuration, both with respect 
to authentication and port usage.

Previously, we had the following line in the sendmail.mc line:
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

To authenticate, users would first have to POP their mail.

A klunky script would scan appropriate log files and copy relevant IP 
addresses to the /etc/mail/access file that would be regenerated every 
5 minutes via cron.

Once the IP address was in the /etc/mail/access.db a user could be 
authenticated and be allowed to send email using the machine as smtp.

Is there a better way of doing this?


Port 587 issues:
Verizon DSL filters out requests on port 25 to smtp servers not belonging 
to verizon.net. An alternative is to use port 587 for smtp purposes.

Are there any views in this CentOs user community on this?

Much thanks.

Max Pyziur
pyz at brama.com

Am 25.06.2011 23:50, schrieb Max Pyziur:
> 
> Greetings,
> 
> I'm refining a CentOs configuration installation, now just over one
month
> old running on a colocated production server. Previously, we ran a version 
> of Fedora for over seven years.
> 
> Specifically, I'm reviewing our sendmail configuration, both with
respect
> to authentication and port usage.
> 
> Previously, we had the following line in the sendmail.mc line:
> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Though defined, you seem not to have made use of it; no SMTP AUTH in
your description of the previous setup.
> To authenticate, users would first have to POP their mail.
> 
> A klunky script would scan appropriate log files and copy relevant IP 
> addresses to the /etc/mail/access file that would be regenerated every 
> 5 minutes via cron.
> 
> Once the IP address was in the /etc/mail/access.db a user could be 
> authenticated and be allowed to send email using the machine as smtp.
That sounds as a poor version of POP-before-SMTP. Which mechanism
deletes the IP from the access_db?

By no means SMTP AUTH was used, just plain relay permission based on the
access_db.
> Is there a better way of doing this?
Definitely.
> Port 587 issues:
> Verizon DSL filters out requests on port 25 to smtp servers not belonging 
> to verizon.net. An alternative is to use port 587 for smtp purposes.
> 
> Are there any views in this CentOs user community on this?
Yes, configure SMTP AUTH and offer the submission service to the users.
Everything is prepared and documented within the sendmail.mc CentOS
ships with. You just have to think about which backend SASL shall use to
verify auth credentials.
> Much thanks.
> 
> Max Pyziur
> pyz at brama.com
Alexander

Am 25.06.2011 23:50, schrieb Max Pyziur:
> 
> Greetings,
> 
> I'm refining a CentOs configuration installation, now just over one
month
> old running on a colocated production server. Previously, we ran a version 
> of Fedora for over seven years.
> 
> Specifically, I'm reviewing our sendmail configuration, both with
respect
> to authentication and port usage.
> 
> Previously, we had the following line in the sendmail.mc line:
> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
Though defined, you seem not to have made use of it; no SMTP AUTH in
your description of the previous setup.
> To authenticate, users would first have to POP their mail.
> 
> A klunky script would scan appropriate log files and copy relevant IP 
> addresses to the /etc/mail/access file that would be regenerated every 
> 5 minutes via cron.
> 
> Once the IP address was in the /etc/mail/access.db a user could be 
> authenticated and be allowed to send email using the machine as smtp.
That sounds as a poor version of POP-before-SMTP. Which mechanism
deletes the IP from the access_db?

By no means SMTP AUTH was used, just plain relay permission based on the
access_db.
> Is there a better way of doing this?
Definitely.
> Port 587 issues:
> Verizon DSL filters out requests on port 25 to smtp servers not belonging 
> to verizon.net. An alternative is to use port 587 for smtp purposes.
> 
> Are there any views in this CentOs user community on this?
Yes, configure SMTP AUTH and offer the submission service to the users.
Everything is prepared and documented within the sendmail.mc CentOS
ships with. You just have to think about which backend SASL shall use to
verify auth credentials.
> Much thanks.
> 
> Max Pyziur
> pyz at brama.com
Alexander

Max Pyziur <pyz at brama.com> wrote:
> Are there any views in this CentOs user community on [using port 587]?
Yes.  Not only is enabling 'submission' a good idea, but you should also
enable 'smtps' (which is different from smtp+tls):

DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
> To authenticate, users would first have to POP their mail.
> 
> Is there a better way of doing this?
As others have said, yes.  Details:

Have the users do authentication over smtp+tls, submission, or smtps
(you should enable all three and let the users pick as the optimal
solution varies with email client).

To do this safely, you *must* ensure that you only permit someone
to authenticate if they're on an encrypted session.

define(`confAUTH_OPTIONS', `A,p,y')dnl
TRUST_AUTH_MECH(`EXTERNAL LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL LOGIN PLAIN')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl

You need to set up saslauthd to support it.  I use saslauthd to query ldap.
My systems also use cyrus imapd as the MDA, although you could use
other MDAs.

Remember to set up SSL (confCACERT_PATH, confCACERT, confSERVER_CERT,
confSERVER_KEY).

Devin