Archive for the SMTP AUTH Category

SMTP Authentication

Posted by Filed Under SMTP AUTH with Comments Off

SMTP authentication is important because you may use it to verify mail clients independent of their IP Addresses.  Without SMTP Authentication only those IP ranges indicated in the mynetworks parameter will be allowed to connect.

So here is how it works with mynetworks. If you had a setting in the Postfix main.cf that looked like the one below, the Postfix mail server at localhost could relay mail and all those machines on the subnet that is listed could send mail.  But if you had a user who traveled and from their laptop wanted to retrieve and send mail through the server, they would be blocked.

mynetworks = 127.0.0.0/8, 192.168.5.0/24

Unless you wanted to constantly update mynetworks to reflect the IP address of the local user, you need to find a way to allow them to use the server.

There are basically 4 methods of allowing access to mobile users.
1. SMTP-after-POP and SMTP-after-IMAP
2.SMTP authentication
3.Certificate-based relaying
4.VPNs

mail_server

The SMTP-after-POP and SMTP-after-IMAP refers the issue of authentication to the POP or IMAP server.  In this process once the mail client has authenticated the POP or IMAP server will record the IP Address and save it in a database.  These IP Addresses remain in the database so they may be accessed again when the  email client attempts to relay mail.  The SMTP server then looks up the address in the database and allows the transfer if the address exists.  These addresses are only saved for a short time.  Unfortunately, the configuration issues are complex to make this happen and the IP Addresses can easily be spoofed.

Certificate-based relaying is based on the certificate that a client sends to the server to authenticate.   Once verified the mail client is allowed to relay.  The unfortunate issue here is that many email clients do not support TLS authentication.

VPNs work fine however this is a lot of setup and training for employees just for mail.

The easiest method is to use SMTP authentication. This SMTP authentication is accomplished using the Cyrus SASL or Simple Authentication and Security Layer.  SASL has three layers that must be configured; the authentication interface, the mechanism and the method.