Mailing List CGatePro@mail.stalker.com Message #92253
From: Bret Miller <bret.miller@wcg.org>
Subject: RE: port 587 and authentication
Date: Thu, 16 Aug 2007 08:15:39 -0700
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.2.12/1.2.12(local)
> On Wed, 15 Aug 2007 16:13:18 -0700
>   Thom O'Connor <thom@communigate.com> wrote:
> >From:   Jeremy Webber
>
> > SMTP Authentication is usually always offered. The
> >client MTA or MUA may
> > choose to use it, or not. If the client MTA/MUA does not
> >authenticate,
> > then CommuniGate Pro checks the (1) source IP of the
> >connection and the
> > (2) recipient. If the recipient is a local address, the
> >MTA (such as
> > CommuniGate Pro) by default always accepts the message.
> >
> > This is how Internet-based e-mail functions on all
> >"non-Client-IP" (and
> > non-relay) SMTP traffic.
> >
> > So, in short - you don't need to configure SMTP Auth at
> >all. Just
> > configure these SMTP Listener ports:
> >
> > Port     Init SSL/TLS
> > ----------------------
> > 25       off
> > 465      on
> > 587      off
> >
> > And you're ready to go...
>
> I'm confused....for a domain, the Domain Settings offer an
> option to "Force SMTP AUTH for:" for nobody, non-clients,
> clients, everybody.  Is that not forcing the use of SMTP
> AUTH if non-clients, clients or everybody is selected?

Yes and no. It forces auth for "mail from" addresses in that domain, but
anyone could still connect to port 587 if it's open and send mail from
another domain to your server. I think it's only a matter of time before
spammers figure out how to abuse this if it's common practice to allow
unauthenticated traffic on commonly-known ports other than 25.

IMHO, all mail servers need to start offering a setting to require
authentication on on specific ports to prevent that. Obviously, you can't
require auth for everyone on port 25. But you can and should be able to on
other ports.

That said, even the ability to do it on port 25 might be helpful if you want
your traffic routed through a filtering server. Then only authenticated
traffic would be accepted on your mailbox server.

And it might be helpful to be able to require auth only for non-clients so
that you can accept unauthenticated traffic for only that filtering server.

Bret



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster