From: Blake Hudson (blakeispn.net)
Date: Tue May 13 2008 - 12:14:24 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-------- Original Message --------
Subject: Re: Allow all types of Relay for a Hotspot Provider..
From: Walter Heukels <walterbadexample.net>
To: postfix-userspostfix.org
Date: Tuesday, May 13, 2008 9:15:48 AM
>> I need to relay for customers who also have a existing setting for
>> Outbound Auth SMTP in there client, i.e Outlook with the tick in the
>> server required authentication.
>>
>
> My company does this for a hotspot provider; the way I solved it is to
> allow relaying for authenticated connections, and make sure the
> authentication always succeeds. I configured saslauthd to use PAM and
> used pam_permit.so for the SMTP service. You'll want to look up SASL and
> PAM documentation for this.
>
> I guarantee you will get people sending viruses and spam from infected
> laptops. I implemented virus scanning and rate limiting to combat this,
> which is working fine so far.
>
> Walter
>
>
>
Initially, accepting all auth requests seemed the best idea to me as
well. The method above is a good method of accomplishing this. However,
then I remembered a time when an SMTP 'firewall' (much like a PIX) was
blocking certain ESMTP commands/responses between a client and our
server. It turns out that even if the client is configured for SMTP
authentication, it will not even attempt to authenticate if the server
does not respond to an ehlo/helo with "250-AUTH".

This was true of Eudora, OE, and thunderbird as of a few years ago, and
I wouldn't doubt if it still holds true. So, if your server does not
offer up to support authentication, then the majority (statistically
all) will likely work just fine, happily bypassing the authentication
process. Personally, I would prefer not intercepting usernames/passwords
or even having them sent unencrypted on my network if avoidable.

--Blake

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]