[clug] Linux Security
Daniel Pittman
daniel at rimspace.net
Thu Oct 9 23:54:03 GMT 2008
steve jenkin <sjenkin at canb.auug.org.au> writes:
> Daniel Pittman wrote on 11/6/08 10:26 PM:
>
> Picking up an old thread, I was wondering how people provide (local)
> email access for 'global travellers'.
>
> It's simple to read mail via webmail, POP or IMAP.
*nod* Webmail has the advantage that sending is on the server side, not
the client side, and so more or less free of the vicissitudes of their
remote connectivity.
> Sending mail means allowing external connections to Port 25 - which
> creates an open mail relay. Hmmmm.
By default all the mail servers I am familiar with, today, are not open
relays by default, and need to be configured that way. Please don't
spend the time to do that. ;)
NB: Most SMTP servers have external port 25 open, as that is how they
receive email. User and/or spam relaying is not actually different to
normal delivery at a technical level.
tcp/587 (submission) is a better port choice. Many places[1] block or
intercept port 25 outbound, while submission -- useful only for
accepting authenticated local users submitting email for
redistribution -- is free to connect.
That port is defined as SMTP plus ...
> Is this solved with just TLS/SSL + user login (and I get busy
> reading),
... SASL authentication, which you almost certainly want to marry with
TLS/SSL[2], and then configure your system to allow authenticated
relaying.
SASL isn't fun to configure, but you can certainly get good advice
here. I know Postfix SASL configuration well, for example, and others
doubtless know the other tools.
> or will using SSH's ability to map a remote port locally be easiest?
If it is just for yourself, then yes -- it would be easier to have a
custom VPN dedicated to the one skilled user than
> User runs Windows and is not terribly IT capable - the config has to
> be simple and 'set and forget'. Plus be able to suffer others
> tinkering with it if he goes somewhere and it stops & locals get
> 'helpful' :-(
For this, I would strongly advise TLS/SSL and SASL on the submission
port. Outlook, and other clients, support it well, and once you have it
configured it has always (for me) been "set and forget" -- hard to get
going, but never a problem once it is.
Regards,
Daniel
Actually, truth be told, these days I use Zimbra for my personal mail
service, which means that someone else did the hard work of configuring
SASL authentication and Postfix for me. :)
Footnotes:
[1] Hotels, and other "roaming" access points, rather than companies.
Actually, a non-trivial number of ISPs block that as well, now I
think about it...
[2] Technically, SASL supports a bunch of "clear-text transmission
safe" password exchange mechanisms, which require storing the
clear-text password on your server. Since the failure mode of that
is (generally) vastly worse than the failure mode of a plain-text
password sent over a secure link ...
More information about the linux
mailing list