Re: Where to RTFM on AUTH and TLS?
- From: Rich Graves <rcgraves@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 28 Jun 2005 12:43:58 +0000 (UTC)
In article <pan.2005.06.27.23.25.51.784178@xxxxxxxxxxxx>, Michael Jinks wrote:
> I'm trying to set up something that I thought would be relatively
> commonplace, but I'm having a hard time tracking down answers to my
> questions, so I suspect that I'm looking in the wrong places.
cf/README and op.txt
You want something like server features: V.
> We'd like to leave things as they are for traffic from our network -- all
> hosts on our class B can still relay -- but replace the off-campus DRAC
> setup with SMTP-AUTH. Due to limitations in our LDAP servers, we can't
> support digest-MD5 or CRAM-MD5 mechanisms; only plain, backed by saslauthd
> checking a shadow file via PAM. So, we need to guarantee that login
> information is only passed to the relays after TLS negotiation takes
> place.
If you have a lot of Eudora 5.1+ clients, you will also find that
the default configuration is to use STARTTLS and AUTH "if
available." But if the client is incompletely configured and the
server suddenly starts offering STARTTLS and AUTH, the client
connection will break without warning. Other clients may have
similar issues. So, what we did is add IP aliases on our relays,
and offer STARTTLS and AUTH only on the new mail.brandeis.edu
vhost, not the old smtp.unet.brandeis.edu, vhost. AUTH is always
required on ports 465 and 587 (MacOS X Mail and possibly other
clients will return an error if they are configured to support
AUTH but the server doesn't require AUTH) and is advertised on
port 25 iff relaying wouldn't otherwise be allowed.
LOCAL_SRV_FEATURES
dnl ####################################################################
dnl # Don't offer SMTP AUTH if relay would be allowed anyway
dnl # Only offer STARTTLS for vhosts listed in /etc/mail/tls-servers
R$* $: $1 $| $&{daemon_port} $| $&{if_name} $| $>"Relay_ok" $1
R$* $| 587 $| $={TLSServers} $| $* $# V
R$* $| 465 $| $={TLSServers} $| $* $# V
R$* $| $* $| $={TLSServers} $| RELAY $# A V
R$* $| $* $| $={TLSServers} $| $* $# V
R$* $| $* $| $* $| RELAY $# A S
R$* $| $* $| $* $| $* $# A S
R$* $| $* $| $* $| $* $: $1
And we have something like this so that /var/log/maillog
notes a different daemon depending on the connecting port.
divert(0)
VERSIONID(`listeners.m4 includes for alba 2005-05-15')
divert(-1)
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1,Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=129.64.99.163,Name=MTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=129.64.99.164,Name=MAILMTA')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=129.64.99.3,Name=SMTPMTA')dnl
DAEMON_OPTIONS(`Port=587,Addr=129.64.99.164,Name=MSA, M=E')dnl
DAEMON_OPTIONS(`Port=smtps,Addr=129.64.99.164,Name=SSLMTA, M=s')d
nl
User and admin doco at
http://web.brandeis.edu/pages/view/Email/MailAuth
http://web.brandeis.edu/pages/view/Email/EmailArchitecture
.
- References:
- Where to RTFM on AUTH and TLS?
- From: Michael Jinks
- Where to RTFM on AUTH and TLS?
- Prev by Date: Local postmaster account
- Next by Date: Re: Local postmaster account
- Previous by thread: Re: Where to RTFM on AUTH and TLS?
- Next by thread: Local postmaster account
- Index(es):
Relevant Pages
|
Loading
