Friday, July 26, 2013

Exim: Authenticated SMTP


With authenticated SMTP, you can administer who can send E-Mails through your web server. With control such as this, you could set up your network so that it allows users who are not located inside to send E-Mail. You may end up with your network as sending anything from inside and authenticated from outside. This means that roaming users are in good hands. It also means you can trace the messages to the user who logged in (if they authenticated). For example, the logs may look like (the unauthenticated entry being first, and the major differences in bold) :

    
    2003-08-18 16:04:25 19os6v-000GxP-5X <= joe@sharktooth.org H=sharktooth.org [207.173.156.3] P=smtp S=3654 id=99327$0bC49Hckb4Uecr@ywndp.your-world-news.com
    2003-08-18 16:04:25 19os6y-000GyU-3B <= joe@sharktooth.org H=sharktooth.org [207.173.156.3] P=asmtp A=plain:joe S=929 id=3F414EAB.2010107@somehost.net
    

You can accomplish this using the following entries in the Exim configuration authenticators section (see the Exim Documentation for more information). In short, these authenticators are required to work with most clients on authenticated SMTP. Note, Outlook Express uses the LOGIN authenticator, while Netscape/Mozilla uses the PLAIN authenticator. The following implementations use a database to house the passwords, encrypted by the crypt() function in Unix. You can do plain passwords, but that gets dangerous with security holes. In fact, you can turn on cryptographic functions to make this better. But, our example :

    
    plain:
      driver = plaintext
      public_name = PLAIN
      server_condition = "${if and { \ {!eq{$2}{}} \ {!eq{$3}{}} \ {crypteq{$3}{${lookup mysql{SELECT password FROM users WHERE username='$2'}{$value}fail}}} \ } {yes}{no}}"
      server_set_id = $2
    login:
      driver = plaintext
      public_name = LOGIN
      server_prompts = "Username:: : Password::"
      server_condition = "${if and { \ {!eq{$1}{}} \ {!eq{$2}{}} \ {crypteq{$2}{${lookup mysql{SELECT password FROM users WHERE username='$1'}{$value}fail}}} \ } {yes}{no}}"
      server_set_id = $2
    
Notice the two differences between the authenticators :
  1. PUBLIC NAME, which will resolve to PLAIN, and LOGIN (see above description for which is used by what software).
  2. LOGIN uses $1 for the username and $2 for the password, while PLAIN uses $2 for the username and $3 for the password. This is because the AUTH PLAIN protocol supplies the username and password on a single line, while the AUTH LOGIN supplies the username after prompts, where the remainder of the line is blank (so $1 would be blank).

Once these authenticators are configured to your needs, just add the
auth_advertise_hosts = *
This will turn on advertising for all hosts trying to send E-Mail. Now, you can configure your clients to use authentication for SMTP, and it should work fine!

Client-Side Setup :

How does SMTP work?

Prior to delving into Authenticated SMTP, we should probably give a short description of SMTP. SMTP is one of the famous Internet acronyms. It stands for "Simple Mail Transfer Protocol". The design of SMTP is the ability to relay Electronic Mail messages (E-Mail) from one computer to another.

SMTP does not often go directly to the recipients computer. It usually stops and rests in the users mail box, where the user will retrieve it. This intermediary is called an "SMTP server". Often, people send the initial message through their own "SMTP Server", commonly refered to as an "outgoing mail server".

SMTP is very similar to sending a real life letter, but without the "Do Not Bend Mail Into the Crusher" machinery. First, there are a few entities in the sending and recieving of mail. There is the local Mail Server (for example, the local post office), the recpient's post office (the recipients mail server), and us and the recpient. When we send a letter, we package it into an evelope to keep people from writing on the letter itself, and walk to the post office. We put the message in the mail box. When the post office sends the letter, it grabs a bit of mail, and delivers it to the recipients post office. The recipients post office puts it into the recpients mail box, where it waits to be retrieved by the user.

What IS Authenticated SMTP?

In order to better serve it's users, a mail server should not allow just anyone to send mail through it. This increases the speed of the server, and prevents spammers, or people who aren't authorized to use the server, from using it.

Typically, this restriction is put in place by not allowing E-Mails to be sent from outside of a network (as in a roaming dial up, or sending through a work service that has uses a different connection to the Internet), which can be likened to forcing a local post office to not send mail unless the sender is a resident of the local community.

But what if you are trying to send a post card while on vacation and the community won't send it? Authenticated SMTP is a method for the post office to verify who you are, and that you are okay to send a message.


How to set it up :

To set up Authenticated SMTP, you can use the following instructions :
  • Outlook & Outlook Express
    1. Open up Outlook
    2. Click on "Tools" on the menu bar
    3. Click on "Accounts"
    4. Click on the account you wish to add Authenticated SMTP to
    5. Click the properties button (Windows: on right side, Mac: on the left side)
    6. Click on the "Servers" tab
    7. Check "My Server Requires Authentication" (shown to right)
    8. You can click on the settings button, and enter the username and password
  • Netscape & Mozilla Mail Clients
    1. Open the mail client
    2. Click on "Edit" on the tool bar
    3. Click on "Mail & Newsgroup Account Settings" (If the option is not available, click on "Preferences", then open up the "Mail & Newsgroups" option)
    4. Click on "Outgoing Server(SMTP)" or "Servers".
    5. You should have an option for "Use username and password". Check that, and provide the username and/or password

No comments:

Post a Comment