questions on setting up a mail server

Jonathan McKeown jonathan+freebsd-questions at hst.org.za
Wed Sep 5 01:10:16 PDT 2007 

On Wednesday 05 September 2007 06:25, Ted Mittelstaedt wrote:
[Jim Stapleton]
> > I figured I'd try cyrus, I remember hearing that one is a good mail
> > server. But I'm new to the mail server thing, and I'm not even sure
> > where to look for some of this stuff if anyone can help. Also, I plan
> > on just doing POP3, and only allowing secure connections - if anyone
> > can reccomend a good, simple server for that, that they think is
> > better than Cyrus, I won't object.
> >
> > My main question is on authentication. I was looking at authentication
> > types in kmail to get an idea of what I can use, and I found:
> > Clear text
> > LOGIN
> > PLAIN
> > CRAM-MD5
> > Digest-MD5
> > NTLM
> > GSSAPI
> > APOP
> >
> >
> > I know clear text is not what I want - if I remember, that's
> > unencrypted. Does TLS/SSL make this a non-issue? What about the other
> > methdods?
>
> Much of this depends on the mail clients that your going to be
> hitting the server with.
>
> The first group does encryption of the password only.

Not sure what's meant by ``the first group'' here.

> The TLS/SSL stuff does encryption of everything - password, mail contents,
> etc.
>
> The TLS stuff requires you put a SSL cert into the client.  Most people,
> not wanting to pay Verisign for this, make their own self-signed certs.
> There is a large amount of arcane magic to do this, and to get it accepted
> into Windows, so that an Outlook client will do SSL.

This isn't true, in my experience.

> The first group is a different story.  If you want to get Outlook to
> work with that, you can only use NTLM.

This is also not true, in my experience.

> The honest to god truth of the matter is that encrypting your POP3
> and SMTP auth passwords is difficult to do on a large scale no matter
> what road you pick to do it, so there is really not a lot of point to
> doing it unless your in a rather limited environment.

I'm not sure I would agree with this statement either.

I've just recently moved a network of 100 users scattered all over South 
Africa, about half of whom are highly mobile and using multiple forms of 
connectivity (6 office LANS, an OpenVPN, ADSL and cellular datacards), to an 
encrypted/authenticated email system. I'm using sendmail and cyrus. I set up 
a certificate authority (not hard - there are plenty of howtos all over the 
'web) and gave the SMTP and IMAP/POP servers their own certificates.

All the authentication options you mention after plain text (which is the 
standard method built in to the protocol) require Cyrus SASL. This isn't as 
scary to set up as the docs make it sound. PLAIN and LOGIN can both use your 
existing user passwords (which is what I do). GSSAPI requires Kerberos, and 
the digest methods (the -MD5 ones) need a separate file of passwords held in 
plain text - the sasldb. Of the passwd-based methods, PLAIN is the preferred 
protocol according to the docs and RFCs - LOGIN is the one Microsoft uses (go 
figure).

I've configured sendmail and cyrus to use SASL, offering LOGIN and PLAIN, and 
to use TLS. sendmail uses STARTTLS on the submission port (587), and cyrus 
imapd/popd uses STARTTLS on imap and pop3 (143 and 110), plus SSL/TLS on 
pop3s (995). They are both configured not to offer LOGIN or PLAIN (or plain 
text login) without a TLS layer in place.

Clients are kmail (me), Outlook 2003 (everyone else), and a webmail system 
using Squirrelmail with up-imapproxy (which is a caching proxy, and also does 
the STARTTLS stuff for Squirrelmail because Squirrelmail can't).

Outlook 2003 uses LOGIN for authentication, and won't do STARTTLS on a pop3 
connection (which is where you connect in clear and negotiate encryption, as 
opposed to connecting to pop3s which is encrypted from the start).

The Outlook clients are configured to require authentication for SMTP using 
the same settings as POP, and to require encryption on both POP and SMTP, 
with ports 587 for SMTP and 995 for POP.

The first time someone collects email with Outlook, they get a warning that 
the certificate isn't trusted, but also the option to install it. Half a 
dozen clicks later the certificate is in place.

Granted, if you have clients using older versions of Outlook or dozens of 
different email clients, you may have issues finding working combinations of 
TLS/STARTTLS/port numbers and authentication methods, but by and large it's 
just putting a few slightly scary-sounding pieces together on the server - 
all of which are either in the base system (sendmail: most of the objections 
to sendmail haven't had any basis in reality for several years. It's now as 
easy to configure as Postfix, IMHO, and hooking Mimedefang in as a milter 
gives you the ability to reject a lot of junk during the connection rather 
than after the fact) or easily added from ports.

Jonathan

More information about the freebsd-questions mailing list