• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Secure Authentication or qmail?

L

lizard

Guest
Can qmail be setup to work with Secure Password Authentication?

When I try to enable this in Outlook Express I get the error:
Code: 
Unable to logon to the server using Secure Password Authentication. Account: 
'mail.xxxxxx.com', Server: 'mail.xxxxxx.com', Protocol: POP3, Server Response: '-ERR 
Invalid command.', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error 
Number: 0x800CCC18

When I try to enable it in Thunderbird, I get:
Code: 
Mail server does not support secure authentication
 
This is pop3/imap related...

The correct (standard) port number of secured pop3 is 995.

-David
 
SPA is Microsoft developed technology, so it's unusual for Linux/Unix (but can be deployed). Use SSL encyption and feel safe! :)
 
I have only one SSL cert installed on my server, but the email programs come back with an error about the SSL not being verifyable, and it's using an SSL issued to 'plesk'??? Why doesn't it use the SSL cert I installed (the default cert was deleted).

Any ideas?

Also, how do you force people to use SSL? I guess you just close port 25 and 110 in iptables and they have no choice.

Also, I was hoping Plesk had setup some kind of SMTP-after-POP or SMTP AUTH (which I believe is available for qmail). Testing a new FC2/Plesk7.5 installation shows that anyone (without a password) can send mail to my domain as long as they claim to be sending from an email address within my domain. Spammers frequently do this.
 
Hi lizard,

> I have only one SSL cert installed on my server, but the email programs come back with an error about the SSL not being verifyable, and it's using an SSL issued to 'plesk'??? Why doesn't it use the SSL cert I installed (the default cert was deleted).

First, I don't think that courier-imap (imap-ssl and pop3-ssl server) uses Plesk generated keys. It's more located near /usr/lib/courier-imap/share . Anyway, those keys are not trusted by apps like MSOutlook because it has been created by you, not by a trusted vendor like Geotrust or Verisign.

> Also, how do you force people to use SSL? I guess you just close port 25 and 110 in iptables and they have no choice.

If you close port 25, your server will not be able to receive e-mails from the outside anymore... One way to acheive that would be to block port 110 (pop) and 143 (imap) to force them using 993 and 995.

> Also, I was hoping Plesk had setup some kind of SMTP-after-POP or SMTP AUTH (which I believe is available for qmail). Testing a new FC2/Plesk7.5 installation shows that anyone (without a password) can send mail to my domain as long as they claim to be sending from an email address within my domain. Spammers frequently do this.

There is an option to require authentication to send e-mail through your relay. In plesk, Server > Mail > Preferences, you could set your relay with SMTP or POP auth.

Regards
-David
 
>There is an option to require authentication to send e-mail through your relay. In plesk, Server > Mail > Preferences, you could set your relay with SMTP or POP auth.

This doesn't seem to work in all cases. If the sender is authorized, you can send mail to anyone. Without being authorized, you can still send all the email you want to users at one of the domains hosted on the server. So, a spammer simply has to look up a domain's host IP and can then use your server to send mail to your domain addresses.
 
How could your users receive mails if everyone from the outside has to be authenticated ?

-David
 
>How could your users receive mails if everyone from the outside has to be authenticated ?


Yes, the setting implies that authentication is required, but in fact it is not. If you don't authenticate, it accepts the mail as long as the "from" address is one of your domains. Now if the "to" address is not one of your domains it does not deliver the message, but if the "to" address is one of your domains, it delivers it. - No Auth. Unless my server isn't working correctly. I've used Ethereal to capture the communications betwen the server and client and am sure this is the way mine is working.
 
Originally posted by lizard


Yes, the setting implies that authentication is required, but in fact it is not. If you don't authenticate, it accepts the mail as long as the "from" address is one of your domains. Now if the "to" address is not one of your domains it does not deliver the message, but if the "to" address is one of your domains, it delivers it. - No Auth. Unless my server isn't working correctly. I've used Ethereal to capture the communications betwen the server and client and am sure this is the way mine is working.
Click to expand...

You don't understand how the mail system works. The mailserver will only accept mail for destinations other than domains on that server if the user has been authenticated in some way. This may be due to an IP whitelist, SMTP-AUTH or POP-before-SMTP. Regardless, if the sending mail server/user cannot be authenticated by one of the above methods, the mail will be rejected.

It would appear that your method of testing your mail server's security is flawed - using a domain on the server to send mail to as a 'test' will always result in the mail being accepted, as that's what the mail server is configured to do - accept mail for that domain.
 
Lizard, are you trying to protect yourself from spammers within your domain (spammers from the inside) ?

How are you testing your mail server ?
Can you post the command lines ?

-David
 
This is a not a corporate system, my customers will be coming in from all over the country (different ISPs) so anyone in the world can claim to be sending email 'from' my domain. Have you ever received spam that claimed to be from yourself? I have experienced this, and this is what concerns me. No spam filter is going to filter out email that appears to have come from your own address or domain.

Essentially, I believe that if my address is [email protected], anyone in the world can simply setup their email client to use the mail server 'mail.domain.com' and say their email address is [email protected] and send an email to [email protected] and the message will be delivered.

You should be able to try this yourself with outlook express. Just setup a new mail account, setup everything except the password. Do NOT check the box "My server requires authentication". Try sending an email to your new address (or any other valid address within the same domain). When you try to send the message, you'll be prompted for a password (but this is coming from the POP side), just cancel the dialog box without providing the password. Your email will be delivered - using only the mail server name and email address, information any spammer could obtain.

If you use Ethereal to capture the communications, you'll see that the SMTP communications with the server doesn't even ask for a password, it just accepts the message because the "SMTP Command: RCPT TO:" lists a domain name hosted by your server.

Now in reality, just because this is possible doesn't mean that anyone would ever do it. Maybe I'm being overly cautious?
 
You must log in or register to reply here.

Similar threads

D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
0
Views
460
D3nnis3n
D
R
Question "This site can’t provide a secure connection" in Chrome and Edge
Replies
6
Views
4K
rcacciato
R
X
Issue Plesk migrator - authentication failed
Replies
4
Views
709
Maarten.
M
B
Resolved Shared hosting with multiple domains SSL/TLS issues
2
Replies
20
Views
2K
bork
B
marvin
Issue IMAP requires security certificate? Maybe?
2 3
Replies
40
Views
4K
Peter Debik
P
Back
Top