1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • =?UTF-8?B?cnVubmluZyBzbXRwIGFuZCBzdWJtaXNzaW9uIHBvcnQ=?=

    From =?UTF-8?B?amFrZQ==?=@21:1/5 to All on Sun Jan 15 23:22:40 2023
    Hi Folks,

    I just want to verify I have a safe configuration. Everything is working for me good.


    My sendmail.mc file:
    --------------------------------
    include(`/etc/mail/tls/starttls.m4')dnl
    FEATURE(`no_default_msa')dnl
    define(`confAUTH_OPTIONS', `y')dnl
    TRUST_AUTH_MECH(`PLAIN DIGEST-MD5 CRAM-MD5')dnl
    define(`confAUTH_MECHANISMS', `PLAIN DIGEST-MD5 CRAM-MD5')dnl define(`confDONT_BLAME_SENDMAIL',`GroupReadableSASLDBFile')dnl DAEMON_OPTIONS(`Port=587, Name=MSA, M=Ea')dnl #watch port 587 for my submissions outgoing from TB
    DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl #watch port 25 for incoming email from internet

    I have STARTTLS and PLAIN password working on 587. I am confident that i am the only one who can send email on port 587.

    However, port 25 I am not so sure. i only want to receive emails for local delivery to my server. (mydomain.com) I have sasl and dovecot setup to service the Thunderbird client. The MX record for my domian naturally sends traffic to port 25. I do
    not want to relay or send anyones SPAM from port 25 but i need to read my own incoming email from port 25. Any advice how to harden this or am i safe already?

    thank you so much for the help,
    --jake

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to jake on Thu Jan 19 06:40:29 2023
    jake wrote:

    TRUST_AUTH_MECH(`PLAIN DIGEST-MD5 CRAM-MD5')dnl

    DAEMON_OPTIONS(`Port=smtp, Name=MTA')

    I have STARTTLS and PLAIN password working on 587.
    I am confident that i am the only one
    who can send email on port 587.

    Provided your auth password doesn't get hacked.
    If you only use PLAIN, you should remove the other machs.

    However, port 25 I am not so sure.

    Turn off AUTH on port 25 as you don't use it. Relaying is denied
    by default but a successful authentication would allow it.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Knute Johnson@21:1/5 to All on Thu Jan 19 10:27:16 2023
    On 1/19/23 05:40, Claus Aßmann wrote:

    Turn off AUTH on port 25 as you don't use it. Relaying is denied
    by default but a successful authentication would allow it.


    I know how to require AUTH but not how to deny AUTH on port 25?

    Thanks,

    knute...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Knute Johnson on Thu Jan 19 13:15:52 2023
    Knute Johnson wrote:

    I know how to require AUTH but not how to deny AUTH on port 25?

    See the fine documentation op.*

    DaemonPortOptions=options

    Modifier can be a sequence (without any
    delimiters) of the following characters:

    a always require AUTH
    ..
    A disable AUTH (overrides 'a' modifier)


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Knute Johnson@21:1/5 to All on Thu Jan 19 14:05:19 2023
    On 1/19/23 12:15, Claus Aßmann wrote:
    Knute Johnson wrote:

    I know how to require AUTH but not how to deny AUTH on port 25?

    See the fine documentation op.*

    DaemonPortOptions=options

    Modifier can be a sequence (without any
    delimiters) of the following characters:

    a always require AUTH
    ..
    A disable AUTH (overrides 'a' modifier)



    Yes it is in the doc. I've got your book too and it is right there on
    page 996. I've looked at it a lot and just didn't see it.

    Works like a charm.

    Thanks Claus!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to Knute Johnson on Thu Jan 19 15:48:03 2023
    Knute Johnson wrote:

    Yes it is in the doc. I've got your book too and it is right there on

    It's not "my" book. Brian wrote it.

    page 996. I've looked at it a lot and just didn't see it.

    That's why a searchable text document is better :-)
    vi op.txt
    /AUTH
    n ... until you find what you wanted.


    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco@21:1/5 to All on Fri Jan 20 08:46:29 2023
    Am 19.01.2023 schrieb Claus Aßmann:

    Knute Johnson wrote:

    Yes it is in the doc. I've got your book too and it is right there
    on

    It's not "my" book. Brian wrote it.

    But you are also mentioned on the first page. :-)

    page 996. I've looked at it a lot and just didn't see it.

    That's why a searchable text document is better :-)

    The book (sendmail 4th edition) is available as a PDF for buying, but
    some anonymous Russian FTP server have it too - intentionally public or
    not - I don't know.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)