|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Open-Relay
Subject: RE: Open-Relay
From: Alex Miller (postfix
bannerclub.com)
Date: Sun Jan 02 2000 - 21:52:54 CST
- Next message: Jason Hoos: "Re: Open-Relay"
- Previous message: erekose: "Re: Open-Relay"
- In reply to: Wietse Venema: "Re: Open-Relay"
- Next in thread: Jason Hoos: "Re: Open-Relay"
- Next in thread: Russ Allbery: "Re: Open-Relay"
- Reply: Alex Miller: "RE: Open-Relay"
- Reply: Jason Hoos: "Re: Open-Relay"
- Reply: Wietse Venema: "Re: Open-Relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Thanks everyone for the responses so far.
>Such a gold mine may eventually exist, but for now, the postfix-users
>list is the best resource. I keep adding new stuff to the FAQ as
>it is posted.
I guess the issue is separated between how to set up "Relaying
mail for mobile users" as per the FAQ, and choosing among the
variety of security packages available, Radius and SASL seem
mentioned quite favorably.
From the FAQ:
The most preferable way is to have users submit mail via some authenticated
protocol instead of plain old SMTP.
The next best way is to use plain old SMTP and to authenticate the user
first, for example, with a "please login via POP before using SMTP" scheme.
In that case,
some non-Postfix software such as DRAC maintains a Postfix-compatible access
table with client IP address information:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
check_client_access hash:/etc/postfix/client_access
check_relay_domains
/etc/postfix/client_access:
4.3.2.1 OK
5.4.3.2 987654321
------------------------
Ok, so the preferable way is the authenticated protocol, but getting from
here
to there is a big question from having read the thread you provided. But the
reason that it is preferable is its lack of vulnerability to sniffers.
I want that.
In the meanwhile, (meaning while I become smart enough to figure out the
plethora of solutions of the preferable way)
So that leaves questions for the "next best way"
How does DRAC interact with postfix? Is it the check_relay_domains
parameter?
The DRAC documentation tells how to modify the source of qpopper; is there
there a need to recompile postfix or get a new rpm?
What are the 987654321 numbers supposed to be?
What is the 4.3.2.1 OK supposed to be. Is that unrelated to relaying
mail to mobile users, in that it's a particular ok ip address?
If I simply follow the installation procedure for Linux, ignoring the
steps to modify my pop daemon, and make the above settings (assuming
I know what 987654321 is supposed to be)
Alex
> -----Original Message-----
> From: owner-postfix-userspostfix.org
> [mailto:owner-postfix-userspostfix.org]On Behalf Of Wietse Venema
> Sent: Sunday, January 02, 2000 8:13 PM
> To: Postfix users
> Cc: postfix-userspostfix.org
> Subject: Re: Open-Relay
>
>
> Alex Miller:
> > I would like to create the following ideal situation,
> > but I'm not sure what the best solution is, or if there
> > is one at all.
> >
> > I would like to allow my clients to be given a pop/smtp/imap
> > account and be able to get and send email using a variety
> > of mailers and web-based access, however, I don't want to be
> > an open-relay.
> >
> > So, that leaves several questions.
> >
> > Is there an encrypted method to log into pop, smtp, and
> > imap so that villians with packet sniffers can't
> > borrow legitimate users passwords? Can mail software
> > use them?
>
> See below for a write-up from the linux-security mailing list.
>
> > Is there solutions postfix website for us folks who would be
> > perfectly happy to provide free service to the world
> > if it weren't for the spammers who've spoiled it for
> > us all.
>
> Such a gold mine may eventually exist, but for now, the postfix-users
> list is the best resource. I keep adding new stuff to the FAQ as
> it is posted.
>
> Wietse
>
> Return-Path: <linux-security-requestredhat.com>
> Delivered-To: wietseporcupine.org
> Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
> by spike.porcupine.org (Postfix) with SMTP id 1A7F145AFB
> for <wietsespike.porcupine.org>; Tue, 14 Dec 1999 04:48:05
> -0500 (EST)
> Received: (qmail 18139 invoked by uid 501); 14 Dec 1999 09:39:53 -0000
> Resent-Date: 14 Dec 1999 09:39:53 -0000
> Resent-Cc: recipient list not shown: ;
> MBOX-Line: From linux-security-requestredhat.com Tue Dec 14
> 04:39:52 1999
> X-Authentication-Warning: baker.compeng.net: mail set sender to
> <Blair.Lowecompeng.net> using -f
> Mime-Version: 1.0
> X-Sender: blair.lowemail.pleasantview.compeng.net (Unverified)
> Message-Id: <v04220800b47ae8c81191[192.168.122.85]>
> Date: Mon, 13 Dec 1999 12:07:03 -0700
> To: linux-securityredhat.com
> From: Blair Lowe <Blair.Lowecompeng.net>
> Cc: "Tony Annese" <tonywhidbey.net>,
> "Beattie, Jay" <JBeattieaccdir.com>
> Content-Type: text/plain; charset="us-ascii" ; format="flowed"
> Resent-Message-ID: <"7RaWq3.0.8Q4.e1XLu"lists.redhat.com>
> Resent-From: linux-securityredhat.com
> X-Mailing-List: <linux-securityredhat.com> archive/latest/68
> X-Loop: linux-securityredhat.com
> Precedence: list
> Resent-Sender: linux-security-requestredhat.com
> Subject: [linux-security] SUMMARY: IMAP security across the net
>
> Since the number of responses to my query was large, Roger has asked
> me to summarise the information.
>
> The summary is listed below
>
> Thanks to all the people who bothered to help me out:
> Alan Mead <admipat.com>
> Beattie, Jay <JBeattieaccdir.com>
> Bruce Elrick <bruce.elricksaltus.ab.ca>
> Christian Hammers <chlathspell.westend.com>
> David J. M. Karlsen <davidkvarteret.uib.no>
> Dean Thompson <Dean.Thompsoncsse.monash.edu.au>
> Ed Padin <epadinwagweb.com>
> Eugene Kanter <eugeneblackcatlinux.com>
> Florian Helbing <florommel.stw.uni-erlangen.de>
> Graham Mainwaring <grahammhn.org>
> Horms <hormsvergenet.net>
> Iain Wade <iwadeoptusnet.com.au>
> JP Vossen <vossenjpnetaxs.com>
> Jakub Skopal <jakub.skopalsorcerer.cz>
> Jamie Beverly <jamiewww.how-toresource.com>
> Kurt Seifried <listuserseifried.org>
> Matthew B. Henniges <mattaxl.net>
> Michael H. Warfield <mhwwittsend.com>
> Peter H. Lemieux <phlcyways.com>
> Petr Sulla <xsullainformatics.muni.cz>
> Ren Sauceda, Computer Systems Engineer (kvsaucedalbl.gov)
> Shawn Robinson <srobins1tps.tci.telus.com>
> Shawn Tagseth <stagsethbbm.ca>
> Stephen Peters <portnoyportnoy.org>
> Tomas Revesz <tomineogenesis.com>
> Tony Annese <tonywhidbey.net>
> alexcathy.uuworld.com
>
>
>
> Blair.
>
>
> > -----Original Message-----
> > From: Blair Lowe [mailto:Blair.Lowecompeng.net]
> > Sent: Wednesday, December 08, 1999 11:36 AM
> > To: linux-securityredhat.com
> > Subject: [linux-security] IMAP security across the net.
> >
> >
> > Hi,
> >
> > We are wondering if anyone knows the security features of IMAP.
> >
> > I know (at least I think I know;) that plain POPMAIL uses no
> > encryption on the password, and that APOP provides some encryption.
> >
> > Ideally we would like a secure system that is accessible from any
> > laptop anywhere on the net.
> >
> > Thanks,
> > Blair.
> > --
> >
>
>
> -----Summary of all other messages-----
>
> ###########################
> ANSWERS TO SECURITY QUERY
> ###########################
>
> *************
> Thread 1: imap and POP send cleartext passwords.
>
> --
> "David J. M. Karlsen" <davidkvarteret.uib.no> wrote:
> > IMAP defaults to cleartext passwords as well, try useing it
> with ssh, and
> > you should be fine... Possible there's some support for mixing
> IMAP/SSL as
> > well..
>
> -
> Ren Sauceda, Computer Systems Engineer (kvsaucedalbl.gov) wrote:
> > IMAP sends everything clear text just like POP. You'd need to run it
> > over SSL to get encryption between the client and the IMAP mail store
> > server. However, client support is limited: Netscape Messenger 4.6+,
> > Outlook 98/2000, Outlook Express 5, and according to my sources.
> >
> > Personally, as a user that is, I like sshing into my mail server and
> > checking my mail with pine when I'm on the road.
>
> --
> Christian Hammers <chlathspell.westend.com> wrote:
> > uw-imap and afaik cyrus imap, too have support for CRAM-MD5 (sp?)
> > this is like APOP.
>
> Any more links to info on these products?
>
> --
> Horms <hormsvergenet.net> wrote:
> > I don't know a lot about IMAP but my understanding is that
> > you can enable capabilities, if the server and client allow
> > that will provide an encryptes session.
>
> Sounds like SSL (see below).
>
> --
> "Graham Mainwaring" <grahammhn.org>
> > IMAP also sends the plaintext password across the network.
> However, it is
> > possible to do IMAP-over-SSL (as well as POP-over-SSL) and get
> it to work
> > with at least some mail clients. You do this using a tool
> called sslwrap on
> > the server side. Alternatively, you might be able to do
> something with ssh
> > port forwarding.
>
> --
> Alan Mead <admipat.com> wrote:
> > APOP encrypts passwords but not data.
> > I'm not sure if IMAP encrypts the data; it is designed to
> offer more secure
> > email connections than POP. However I think SSL is a better
> choice; make
> > everything web-based and accessed through a secure web server. They'll
> > need a root cert from your cert authority. That probably means your
> > clients will be forced to have a recent versions of IE or Navigator.
>
> imap does not seem to be any more secure than regular pop (as I feared).
>
> --
>
>
>
>
> ###########################
> SOLUTIONS TO EMAIL SECURITY
> ###########################
>
>
> *************
> Thread 1: Eudora may not support SSL wrapper type of IMAP communications.
>
> --
> Jakub Skopal <jakub.skopalsorcerer.cz> wrote:
> >
> > Blair Lowe wrote:
> > >
> > > Where exactly is the setting for Eudora, or does it just work?
> > >
> > > Blair.
> > >
> > > Jakub Skopal <jakub.skopalsorcerer.cz> wrote:
> > > >
> > > > consider using SSL wrapper for your IMAP, it'll provide
> on-the-fly
> > > >encryption.
> > > >Most of the current mail-readers support it (on windows Microsoft
> > > >Outlook * os
> > > >well as Netscape, Eudora supports it as well, afaik, on
> linux, there's
> > > >an easy
> > > >way how to setup a wrapper so every application can access it in
> > > >ordinary way :_)
> > > >
> > > > Jakub
> > > >
> > > >--
> >
> > Don't know, but now I doublechecked at eudora's website and they say
> > they have no support for SSL... I believe, that there can me some sort
> > of wrapper made as well, don't know any :-|
> > I just knew somebody, who had been using it, but don't know how he had
> > managed to get it to work...
> >
>
> ******************
> Thread 2: sslwrap
>
> --
> Jamie Beverly <jamiewww.how-toresource.com> wrote:
> > sslwrap has some nice packages that encrypt POP, SMTP, and
> IMAP, there was
> > a post to this group a few months ago that had full
> instructions to set it
> > up and get it running, if you need a hand, drop me a line.
>
> --
> Ed Padin <epadinwagweb.com> wrote:
> > You can use SSL for IMAP as well as POP mail access. There's
> two nice SSL
> > wrappers I know of for linux machines. sslwrap and stunnel.
> They act as a
> > front end to any imap, pop or html server so that you can use the SSL
> > protocol for the service. The popular IMAP clients usually
> support IMAP over
> > SSL. This gives you a fully encrypted link where passwords and content
> > cannot be sniffed.
>
> --
> Stephen Peters <portnoyportnoy.org>
> > I think IMAP gives you the same problems.
> [ie. cleartext passwords]
> >
> > One thing you might consider is installing SSLeay and sslwrap. This
> > allows you to wrap POP, IMAP (or other protocols) under SSL, so that
> > the communication is encrypted. Many common mail clients (even
> > Netscape, MSIE, and Outlook) support the SSL connections natively.
> > I've gotten this working once -- using Netscape or Outlook to access
> > my home IMAP server over SSL.
> >
> > More information can be found in www.openssl.org, if I remember right.
>
> A note to the readers, I believe that SSLeay IS open_ssl.
>
> --
> Florian Helbing <florommel.stw.uni-erlangen.de>
> > You can use SSL-Encrypted IMAP. Netscape can connect to SSL IMAP.
> > Unforunately I don't know of any other MUA who can.
> > On the server you just need to use the ssl-wrapper which
> encrypts the data
> > the imap-server send or receives. We use it here at the
> network I am working
> > at and it performs quite nicely.
>
> --
> > "Michael H. Warfield" <mhwwittsend.com> wrote:
> > My suggestion would be to go with SSL encrypted imap (imaps).
> > It's a well known service allocated to port 993 by IANA and can be set
> > up with an ssl wrapper like edssl, ssl-proxy, stunnel, or sslwrapper on
> > your server. Fetchmail now has SSL patches included in the source, you
> > just have to obtained OpenSSL <www.openssl.org> for the SSL libraries
> > themselves. Even Exchange, Outlook, and Netscape support SSL
> encryption
> > on either or both POP and IMAP.
>
> --
> Tomas Revesz <tomineogenesis.com> wrote:
> >
> > i'm not sure that standard imap has anything built in security-wise but
> > i'm quite happily running ssl wrapped imap on two of my redhat
> boxes and
> > it wasn't a tremendous pain to set it up. it gives you encrypted login
> > and viewing of your mail. i've tried netscape, outlook express, and
> > outlook 97/2000 as clients and they all seem to work great. you
> > basically need 3 pieces.
> >
> > an imap server (i use the uwash server that came with redhat)
> > openssl 0.9.4 http://www.openssl.org or you can find an rpm for it at
> > www.rpmfind.net pretty easily
> > and sslwrap which i got from http://www.rickk.com/sslwrap/
> >
> > i used this page as a reference and even though there are some
> > differences in the software, it gives you the basic idea of how to set
> > this up. http://www.dtcc.edu/cs/admin/notes/ssl/
> >
> > if you want more detailed info, let me know and maybe i'll finally
> > motivate myself to write up a how-to on my full setup.
>
> I am sure that the readers of this email list and anyone else would
> be tickled with a HOWTO.
>
> --
> "Kurt Seifried" <listuserseifried.org> wrote:
> >
> > Blair Lowe wrote:
> > > Yes this works for all the normal OS's such as Linux and Windows,
> > > but don't you need winstun or something for a windows
> > > implementation
> > > (which does not exist for apple clients).
> >
> > Most email clients have built in support for SSL (outlook, netscape
> > do). Simply goto security settings, secure imap.
>
> --
> "Bruce Elrick" <bruce.elricksaltus.ab.ca> wrote:
> > You could try using IMAP over SSL. Both Netscape and MS
> Outlook support
> > this. I've installed sslwrap, which negotiates the SSL layer
> and forwards
> > the connection to the loopback.
> >
> > e.g.
> > have port 993 (imaps) open with sslwrap opened through inetd:
> > /etc/inetd.conf:
> > imaps stream tcp nowait ssl /usr/sbin/tcpd
> > /usr/sbin/sslwrap -cert /var/lib/ssl/certs/server.pem -port 143
> >
> > which accomplishes
> > client using imaps (imap over ssl) --> internet -->
> > --> your server public IP port 993 -->
> > --> sslwrap (started by inetd) -->
> > --> your server loopback IP port 143 --> imapd (started by inetd)
> >
> > You can have your firewall block 143 (except on loopback if your imaps
> > server is your firewall) and let through 993 to your public IP address.
>
> Excellent!
>
> --
> Shawn Robinson <srobins1tps.tci.telus.com> wrote:
> > You can use SSL (authenticated & encrypted) with SMTP, POP, and IMAP
> > protocols. As for IMAP and POP, you may want to tunnel them to your
> > existing servers with 'stunnel'.
> > http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/
>
> --
> "Eugene Kanter" <eugeneblackcatlinux.com> wrote:
> > Use ssl proxy. Netscape communicator works just fine. I guess
> > openssl.org?
>
>
> *****************
> Thread 3: stunnel
>
> "Iain Wade" <iwadeoptusnet.com.au> wrote:
> > All major clients (Outlook, Outlook Express, Netscape Messenger)
> > support IMAP over an SSL tunnel.
> >
> > You can achieve this using the SSLeay and stunnel packages very
> > easily.
> >
> > I cannot recall where I found a nice little FAQ which described the
> > process, but I'm sure a few altavista searches will get you there.
> >
> > This is what I use and it seems ok so far.
>
> --
> "Kurt Seifried" <listuserseifried.org> also wrote:
> > ... SSL wrapping imap is easy, I cover
> > it at http://www.securityportal.com/lasg/ in the mail server section,
> > oops, I lied, I forgot to fold those changes in. Ok well go get
> > OpenSSL, compile/install it, install a server cert, then get stunnel
> > (ftp.zedz.net, in the replay directory, redhat, i386), install that
> > and ssl wrap imap:
> >
> > simap stream tcp nowait root /usr/sbin/stunnel imapd -l
> > imapd
>
> Right on. Now I know more about stunnel.
>
> --
> Shawn Tagseth <stagsethbbm.ca> wrote:
> >
> > If your clients that connect to the IMAP server are using netscape or
> > Outlook( Express), both of them support IMAPS. You can set up an
> > ssl-imap wrapper so that everything over the Internet travels IMAP-SSL,
> > hits your linux box, gets de-crypted and then redirected to IMAP on
> > localhost. I've only tested it and not rolled it out. The best part
> > about it is that you don't have to replace your IMAP daemon.
> >
> > You'll need openSSL http://www.openssl.org
> > and a wrapper (I've used sslwrap, but I've heard good things about
> > stunnel as well)
> > http://www.openssl.org/related/apps.html
> >
> > If you need to send messages you can set up the wrapper to handle SMTPS
> > as well. Although if ALL your mail is going back out to the internet
> > the overhead is wasted.
>
> --
> Petr Sulla <xsullainformatics.muni.cz> wrote:
> > You could use sslwrap or stunnel over a SSL connection, it
> works very nice
> > for me with both POP and IMAP.
> > Just search for sslwrap and stunnel at www.freshmeat.net.
> ...
> > I just came across a much better source:
> >
> > http://security.fi.infn.it/tools/stunnel/index-en.html
>
> I found stunnel hard to get, but eventually got it.
>
> *****************
> Thread 4: Outlook Express
>
> --
> alexcathy.uuworld.com wrote:
> > JP Vossen <vossenjpnetaxs.com> wrote:
> > > On Wed, 8 Dec 1999, Blair Lowe wrote:
> > >
> > > > Ideally we would like a secure (e-mail) system that is
> >accessible from any
> > > > laptop anywhere on the net.
> > >
> > > How about OWA using SSL (Outlook Web Access for Exchange 5.x (OWA
> >is free from
> > > MS)) using SSL on IIS? If you use Exchange, this is great,
> because you can
> > > get your mail from any place that has an SSL browser, WITHOUT
> >having to have
> > > any other software (e.g. VPN software, IMAP client, etc.)
> installed on the
> > > client machine. However, it is a bit tricky to install.
> >
> > Off topic.
>
> True that Outlook Web Access is probably not available for LINUX,
> someone may have a
> LINUX laptop that connects to an NT server.
>
> *****************
> Thread 5: Zmailer
>
> --
> Shawn Robinson <srobins1tps.tci.telus.com> also wrote:
> > For SMTP, I'd suggest a native implementation, but you could tunnel it
> > also. Zmailer (http://www.zmailer.org) is an SMTP server that recently
> > introduced SSL SMTP that supports clients such as Netscape
> Communicator,
> > and Outlook Express.
>
> ******************
> Thread 6: IMP: a web based email server
>
> --
> "Peter H. Lemieux" <phlcyways.com> wrote:
> > How about IMP, a Web IMAP client written in PHP3, running on
> an Apache-SSL
> > server?
> >
> > IMP: http://www.horde.org/imp/
> > PHP: http://www.php.net
> >
> > You can read and send mail, attach files, manage folders, keep an
> > addressbook, and use LDAP servers, all over the web. Not only
> would the
> > authentication session be encrypted by SSL, so would the
> contents of the
> > messages viewed.
> > If you're uncomfortable leaving the message store on a
> publicly accessible
> > machine, you can put it behind your firewall and point IMP at
> it through
> > some kind of tunnel.
> >
> > If you want to be able to use an IMAP client that runs on the
> laptop, there
> > is a standard port assignment (993) for secure IMAP using
> SSL/TLS. I know
> > Netscape Communicator supports this, and I think MS Outlook
> does, too. You
> > might want to look at one man's experience trying to construct an
> > UW-IMAP+SSL server at
http://www.terry.dtcc.edu/stanton/cs/admin/notes/ssl/.
>
******************
Thread 7: IPSec
Dean Thompson <Dean.Thompsoncsse.monash.edu.au> wrote:
> You may want to investigate the SSL protocol to ensure you have an
encrypted
> session when reading mail. Other than SSL, you may be able to to
>use a system
> like IPSec to encrypt data on the network (although this requires a
specific
> gateway encrypting all the traffic).
*****************
Thread 8: Kerberos AND gss
> "Michael H. Warfield" <mhwwittsend.com> wrote:
> Blair Lowe wrote:
> > We are wondering if anyone knows the security features of IMAP.
>
> Yeah, virtually none unless you add features like kerberos or gss.
Anyone know any links on these ones?
-- "Matthew B. Henniges" <mattanyone know any links to bjorb? Computer Engineering Inc. http://www.compeng.net Phone: 780 499 5687 (9 - 5 MST) Fax: 780 435 0693 (24 Hours)
-- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe linux-security-request
- Next message: Jason Hoos: "Re: Open-Relay"
- Previous message: erekose: "Re: Open-Relay"
- In reply to: Wietse Venema: "Re: Open-Relay"
- Next in thread: Jason Hoos: "Re: Open-Relay"
- Next in thread: Russ Allbery: "Re: Open-Relay"
- Reply: Alex Miller: "RE: Open-Relay"
- Reply: Jason Hoos: "Re: Open-Relay"
- Reply: Wietse Venema: "Re: Open-Relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Sun Jan 02 2000 - 21:59:01 CST