[clug] Linux Security

Daniel Pittman daniel at rimspace.net
Thu Oct 9 23:54:03 GMT 2008

steve jenkin <sjenkin at canb.auug.org.au> writes:
> Daniel Pittman wrote on 11/6/08 10:26 PM:
> Picking up an old thread, I was wondering how people provide (local)
> email access for 'global travellers'.
> It's simple to read mail via webmail, POP or IMAP.

*nod*  Webmail has the advantage that sending is on the server side, not
the client side, and so more or less free of the vicissitudes of their
remote connectivity.

> Sending mail means allowing external connections to Port 25 - which
> creates an open mail relay. Hmmmm.

By default all the mail servers I am familiar with, today, are not open
relays by default, and need to be configured that way.  Please don't
spend the time to do that. ;)

NB: Most SMTP servers have external port 25 open, as that is how they
receive email.  User and/or spam relaying is not actually different to
normal delivery at a technical level.

tcp/587 (submission) is a better port choice.  Many places[1] block or
intercept port 25 outbound, while submission -- useful only for
accepting authenticated local users submitting email for
redistribution -- is free to connect.

That port is defined as SMTP plus ...

> Is this solved with just TLS/SSL + user login (and I get busy
> reading),

... SASL authentication, which you almost certainly want to marry with
TLS/SSL[2], and then configure your system to allow authenticated

SASL isn't fun to configure, but you can certainly get good advice
here.  I know Postfix SASL configuration well, for example, and others
doubtless know the other tools.

> or will using SSH's ability to map a remote port locally be easiest?

If it is just for yourself, then yes -- it would be easier to have a
custom VPN dedicated to the one skilled user than 

> User runs Windows and is not terribly IT capable - the config has to
> be simple and 'set and forget'. Plus be able to suffer others
> tinkering with it if he goes somewhere and it stops & locals get
> 'helpful' :-(

For this, I would strongly advise TLS/SSL and SASL on the submission
port.  Outlook, and other clients, support it well, and once you have it
configured it has always (for me) been "set and forget" -- hard to get
going, but never a problem once it is.


Actually, truth be told, these days I use Zimbra for my personal mail
service, which means that someone else did the hard work of configuring
SASL authentication and Postfix for me. :)

[1]  Hotels, and other "roaming" access points, rather than companies.
     Actually, a non-trivial number of ISPs block that as well, now I
     think about it...

[2]  Technically, SASL supports a bunch of "clear-text transmission
     safe" password exchange mechanisms, which require storing the
     clear-text password on your server.  Since the failure mode of that
     is (generally) vastly worse than the failure mode of a plain-text
     password sent over a secure link ...

More information about the linux mailing list