Best practice: sendmail and SMTP auth

Ted Mittelstaedt tedm at
Sun Mar 16 08:17:02 UTC 2008

> -----Original Message-----
> From: owner-freebsd-questions at
> [mailto:owner-freebsd-questions at]On Behalf Of Doug Poland
> Sent: Wednesday, March 12, 2008 11:20 AM
> To: questions at
> Subject: Best practice: sendmail and SMTP auth
> Hello,
> Not sure if this is the most appropriate place for this question, but
> since all my servers are FreeBSD 6.x/7.x, I'll give it a go...
> I am considering setting up SMTP auth on a number of sendmail
> instances that I control.  After much googling and reading, it is not
> clear to me that a server with SMTP auth configured/enabled can relay
> mail in both auth and non-auth modes.

Some of the explanations posted have been Rube Goldberg in the
extreme, greatly complicating what should have been a very simple

A standard FreeBSD server determines relaying through use of the
access.db file, as you probably already are aware.

If you add in SMTP-auth then the ONLY change is that any client
that authenticates in, is exempted from checking the access.db
file - by default, they are allowed to relay.

It is not necessary to turn on an encrypted channel for SMTP-auth.
In fact, the most popular mail clients under Windows - Outlook,
only support NTLM encryption on authentication which REQUIRES
that the password be in cleartext on the mailserver.  OR, you 
can use SSL encryption for Outlook - however it will require a
(costly) commerically-rooted certificate on the server to do SSL
or your mail clients won't encrypt without a lot of nasty mucking
around on the user's side to install a self-signed root cert in their

As for 587, by default sendmail will allow auth on either port 25
or 587 and will allow non-encrypted auth on port 587.

The fact of the matter is that the most secure way of running
a production setup is to use a completely separate mailserver
for AUTH-smtp and to use DIFFERENT userID's/passwords on that server
than on the primary mailserver.  That way spammers that discover
the users e-mail address (which for most ISP's is the same as
the userID account) cannot launch dictionary attacks against the
SMTP-auth server.  And, attackers that sniff a cleartext password
on the SMTP-auth channel cannot use that userID 
to spam the mailserver.


More information about the freebsd-questions mailing list