1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Secure Authentication or qmail?

Discussion in 'Plesk for Linux - 8.x and Older' started by lizard, Apr 24, 2005.

  1. lizard

    lizard Guest

    0
     
    Can qmail be setup to work with Secure Password Authentication?

    When I try to enable this in Outlook Express I get the error:
    Code:
    Unable to logon to the server using Secure Password Authentication. Account: 
    'mail.xxxxxx.com', Server: 'mail.xxxxxx.com', Protocol: POP3, Server Response: '-ERR 
    Invalid command.', Port: 110, Secure(SSL): No, Server Error: 0x800CCC90, Error 
    Number: 0x800CCC18
    
    When I try to enable it in Thunderbird, I get:
    Code:
    Mail server does not support secure authentication
    
     
  2. divad

    divad Guest

    0
     
    This is pop3/imap related...

    The correct (standard) port number of secured pop3 is 995.

    -David
     
  3. GARMTECH

    GARMTECH Guest

    0
     
    SPA is Microsoft developed technology, so it's unusual for Linux/Unix (but can be deployed). Use SSL encyption and feel safe! :)
     
  4. lizard

    lizard Guest

    0
     
    I have only one SSL cert installed on my server, but the email programs come back with an error about the SSL not being verifyable, and it's using an SSL issued to 'plesk'??? Why doesn't it use the SSL cert I installed (the default cert was deleted).

    Any ideas?

    Also, how do you force people to use SSL? I guess you just close port 25 and 110 in iptables and they have no choice.

    Also, I was hoping Plesk had setup some kind of SMTP-after-POP or SMTP AUTH (which I believe is available for qmail). Testing a new FC2/Plesk7.5 installation shows that anyone (without a password) can send mail to my domain as long as they claim to be sending from an email address within my domain. Spammers frequently do this.
     
  5. divad

    divad Guest

    0
     
    Hi lizard,

    > I have only one SSL cert installed on my server, but the email programs come back with an error about the SSL not being verifyable, and it's using an SSL issued to 'plesk'??? Why doesn't it use the SSL cert I installed (the default cert was deleted).

    First, I don't think that courier-imap (imap-ssl and pop3-ssl server) uses Plesk generated keys. It's more located near /usr/lib/courier-imap/share . Anyway, those keys are not trusted by apps like MSOutlook because it has been created by you, not by a trusted vendor like Geotrust or Verisign.

    > Also, how do you force people to use SSL? I guess you just close port 25 and 110 in iptables and they have no choice.

    If you close port 25, your server will not be able to receive e-mails from the outside anymore... One way to acheive that would be to block port 110 (pop) and 143 (imap) to force them using 993 and 995.

    > Also, I was hoping Plesk had setup some kind of SMTP-after-POP or SMTP AUTH (which I believe is available for qmail). Testing a new FC2/Plesk7.5 installation shows that anyone (without a password) can send mail to my domain as long as they claim to be sending from an email address within my domain. Spammers frequently do this.

    There is an option to require authentication to send e-mail through your relay. In plesk, Server > Mail > Preferences, you could set your relay with SMTP or POP auth.

    Regards
    -David
     
  6. lizard

    lizard Guest

    0
     
    >There is an option to require authentication to send e-mail through your relay. In plesk, Server > Mail > Preferences, you could set your relay with SMTP or POP auth.

    This doesn't seem to work in all cases. If the sender is authorized, you can send mail to anyone. Without being authorized, you can still send all the email you want to users at one of the domains hosted on the server. So, a spammer simply has to look up a domain's host IP and can then use your server to send mail to your domain addresses.
     
  7. divad

    divad Guest

    0
     
    How could your users receive mails if everyone from the outside has to be authenticated ?

    -David
     
  8. lizard

    lizard Guest

    0
     
    >How could your users receive mails if everyone from the outside has to be authenticated ?


    Yes, the setting implies that authentication is required, but in fact it is not. If you don't authenticate, it accepts the mail as long as the "from" address is one of your domains. Now if the "to" address is not one of your domains it does not deliver the message, but if the "to" address is one of your domains, it delivers it. - No Auth. Unless my server isn't working correctly. I've used Ethereal to capture the communications betwen the server and client and am sure this is the way mine is working.
     
  9. hostcorp

    hostcorp Guest

    0
     
    You don't understand how the mail system works. The mailserver will only accept mail for destinations other than domains on that server if the user has been authenticated in some way. This may be due to an IP whitelist, SMTP-AUTH or POP-before-SMTP. Regardless, if the sending mail server/user cannot be authenticated by one of the above methods, the mail will be rejected.

    It would appear that your method of testing your mail server's security is flawed - using a domain on the server to send mail to as a 'test' will always result in the mail being accepted, as that's what the mail server is configured to do - accept mail for that domain.
     
  10. divad

    divad Guest

    0
     
    Lizard, are you trying to protect yourself from spammers within your domain (spammers from the inside) ?

    How are you testing your mail server ?
    Can you post the command lines ?

    -David
     
  11. lizard

    lizard Guest

    0
     
    This is a not a corporate system, my customers will be coming in from all over the country (different ISPs) so anyone in the world can claim to be sending email 'from' my domain. Have you ever received spam that claimed to be from yourself? I have experienced this, and this is what concerns me. No spam filter is going to filter out email that appears to have come from your own address or domain.

    Essentially, I believe that if my address is joe.user@domain.com, anyone in the world can simply setup their email client to use the mail server 'mail.domain.com' and say their email address is joe.user@domain.com and send an email to joe.user@domain.com and the message will be delivered.

    You should be able to try this yourself with outlook express. Just setup a new mail account, setup everything except the password. Do NOT check the box "My server requires authentication". Try sending an email to your new address (or any other valid address within the same domain). When you try to send the message, you'll be prompted for a password (but this is coming from the POP side), just cancel the dialog box without providing the password. Your email will be delivered - using only the mail server name and email address, information any spammer could obtain.

    If you use Ethereal to capture the communications, you'll see that the SMTP communications with the server doesn't even ask for a password, it just accepts the message because the "SMTP Command: RCPT TO:" lists a domain name hosted by your server.

    Now in reality, just because this is possible doesn't mean that anyone would ever do it. Maybe I'm being overly cautious?
     
Loading...