Need to add password authentication from desk/laptop to sendmail - Security

This is a discussion on Need to add password authentication from desk/laptop to sendmail - Security ; The scenario is a laptop in a public place (hotel, airport), sending outbound e-mail. The client is Thunderbird on Windows, the server is RedHat Linux. I would like to offer 3 authentication alternatives to my users: (1) Authentication by domain. ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Need to add password authentication from desk/laptop to sendmail

  1. Need to add password authentication from desk/laptop to sendmail

    The scenario is a laptop in a public place (hotel, airport), sending
    outbound e-mail. The client is Thunderbird on Windows, the server is
    RedHat Linux.

    I would like to offer 3 authentication alternatives to my users:

    (1) Authentication by domain. The user needs to login into the VPN and
    the /etc/mail/access file contains the line "mycompany.com RELAY".

    When the VPN is not available, I resort to the following method:

    (2) Authentication by IP address. Same as (1). It requires adding the
    DNS/IP address into the access file. Requires ssh to modify the access
    file. Inconvenient for highly mobile users.

    The two above methods are easy and already implemented. What I would
    like to do now is adding a third alternative, to be used when the
    above described options are not feasible:

    (3) Authentication by username/password.

    This is what I have done so far, but it doesn't work.

    I commented/uncommented the following lines from the sendmail.mc file:

    dnl define(`confAUTH_OPTIONS', `A')dnl <-- was originally
    uncommented
    dnl #
    dnl # The following allows relaying if the user authenticates, and
    disallows
    dnl # plaintext authentication (PLAIN/LOGIN) on non-TLS links
    dnl #
    define(`confAUTH_OPTIONS', `A p')dnl <-- was originally
    commented

    plus I clicked on "Use name and password" in Thunderbird. I am
    prompted for my password, but the relay is denied.

    The STARTTLS stuff (both from client to server, and server to server)
    is working fine.

    Do I have to tell sendmail to use PAM or something?

    TIA,

    -Ramon


  2. Re: Need to add password authentication from desk/laptop to sendmail

    On 11 Jun, 20:57, Ramon F Herrera wrote:
    > I would like to offer 3 authentication alternatives to my users:
    >
    > (1) Authentication by domain.
    > (2) Authentication by IP address.


    Careful!

    > (3) Authentication by username/password.
    >


    While I applaud your efforts to secure your SMTP server, there is
    another way to do it - just run a stunnel server on you SMTP server,
    or another box inside your network, and install stunnel clients with
    client certificates on all the laptops. Allow connections to the SMTP
    server from the stunnel server IP address. Require validation of the
    client certificate (or its CA) on the stunnel server and Bob's your
    uncle.

    You can do this with a SnakeOil CA.

    I did. It worked a treat. I also used the same setup for the POP and
    TELNET access (yes I KNOW about TELNET - it's a long story and I
    really can't bothered sharing it with you all right now).

    C.


+ Reply to Thread