Autor: Alan J. Flavell Data: Para: Exim-Users (E-mail) Asunto: Re: [Exim] SMTP
On Wed, 30 Jun 2004, Ron McKeating wrote:
> I am trying very hard to make the case to our management that we should
> do authenticated smtp through our servers from off campus.
I'm responding with my departmental postmaster hat on here. I don't
speak for the campus as a whole, OK?
I'd say definitely. It's not without a few nooks and crannies, but
it's substantially working for us (I mean, for our users). The
principle is definitely right, though there might be a few details
you'd need to hammer out.
> The response I am getting is "What do others do?" In general is that
> the accepted way of doing things.
Some version of it, yes, definitely.
> We obviously do not wish to be an open relay, and I have already
> issued dire warnings of blacklisting if we do it any other way.
Well we definitely wouldn't /relay/ for an unauthenticated sender; and
even incoming mail for /local/ recipients is distrusted if the sender
presents a local domain in their envelope-sender while launching
unauthenticated mail from "outside" (that being, after all, a popular
spammer's trick).
We implemented TLS+AUTH for submission from outside. (We don't
ask for either from clients which are within).
Several types of client can be configured in such a way that they
adapt calmly to the situation of being sometimes inside and sometimes
outside (viz. laptops) without user intervention.
I'm aware of two separate problem situations in relation to what we're
doing.
1. service providers who capture port 25 and transparently redirect
it to their own servers cause problems with the scheme as implemented.
2. Some clients seem to get confused about what they're supposed to be
doing, and try submitting mail from outside without TLS or AUTH. The
problem only emerges later in the transaction, of course, since at
first they look just like any other peer MTA. (If anyone knows how to
convince the OS X mail software not to do that, I'm interested - I
don't use it myself, but a couple of our users seem to have
encountered the problem. I think they concluded that it was safer to
switch modes manually after moving their laptop, than to hope for
their software to adapt to the request from exim).
Some folks will tell you that mail submission protocol is a preferable
solution to this requirement than authenticated SMTP. Maybe we should
look at that too.
Alternatively, VPN. I wouldn't try to implement that myself - because
of the risks of establishing a pipe into the campus from the most
insecure situation found at the average user's home setup! But campus
services operate a scheme with what I presume to incorporate adequate
defence mechanisms, and users who've established a VPN link can behave
as if they're effectively on the campus, which circumvents the other
issues.