Mailing List CGatePro@mail.stalker.com Message #92256
From: Technical Support <support@stalker.com>
Subject: Re: port 587 and authentication
Date: Thu, 16 Aug 2007 20:52:35 +0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,

Bret Miller wrote:
On Wed, 15 Aug 2007 16:13:18 -0700
  Thom O'Connor <thom@communigate.com> wrote:
From:   Jeremy Webber
SMTP Authentication is usually always offered. The client MTA or MUA may
choose to use it, or not. If the client MTA/MUA does not authenticate,
then CommuniGate Pro checks the (1) source IP of the connection and the
(2) recipient. If the recipient is a local address, the MTA (such as
CommuniGate Pro) by default always accepts the message.

This is how Internet-based e-mail functions on all "non-Client-IP" (and
non-relay) SMTP traffic.

So, in short - you don't need to configure SMTP Auth at all. Just
configure these SMTP Listener ports:

Port     Init SSL/TLS
----------------------
25       off
465      on
587      off

And you're ready to go...
I'm confused....for a domain, the Domain Settings offer an option to "Force SMTP AUTH for:" for nobody, non-clients, clients, everybody.  Is that not forcing the use of SMTP AUTH if non-clients, clients or everybody is selected?

Yes and no. It forces auth for "mail from" addresses in that domain, but
anyone could still connect to port 587 if it's open and send mail from
another domain to your server. I think it's only a matter of time before
spammers figure out how to abuse this if it's common practice to allow
unauthenticated traffic on commonly-known ports other than 25.

Not quite true for the recent (since 5.0) versions of CGPro: mail submission through port 587 _always_ requires authentication:

mail from:<>
530 <> You must authenticate first

<http://www.stalker.com/CommuniGatePro/SMTP.html#Submit>

IMHO, all mail servers need to start offering a setting to require
authentication on on specific ports to prevent that. Obviously, you can't
require auth for everyone on port 25. But you can and should be able to on
other ports. That said, even the ability to do it on port 25 might be helpful if you want
your traffic routed through a filtering server. Then only authenticated
traffic would be accepted on your mailbox server. And it might be helpful to be able to require auth only for non-clients so
that you can accept unauthenticated traffic for only that filtering server.

Bret

--
Best regards,
Dmitry Akindinov

=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster