Subject: Re: SMTP Auth
To: digital-homeopath.ca <digital.homeopath@gmail.com>
From: Christopher Schultz <chris@christopherschultz.net>
List: port-cobalt
Date: 02/16/2006 10:15:41
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig31E8E4BA491A19F8388F3767
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

John,

> I'm hesitant to install cy2-login because of this and would like to=20
> know if I can still use these same instructions for cy2-plain.  Also,
>  what is the functional difference between these two and what is the=20
> end result in setting up windows/mac email clients?  i.e. mac mail
> has multiple options for SMTP auth, would I use 'Password' with
> cy2-plain?

The platform on which you run your email client is not generally
relevant... only the features supported by that client. For example,
receiving email generally happens over POP or IMAP (or POPS or IMAPS),
which usually is not handled by an MTA daemon (perhaps postfix includes
these; I dunno). You may have to install something separate.

For example, I use qmail as my MTA and courier as my mail pickup daemon
serving IMAPS /only/.

The MTA uses SMTP which originally was a non-secure protocol: no
encryption, no authentication. These days, most MTAs support
authorization in the form of a username/email-address and password,
which at least makes it more difficult for someone to enslave your MTA
to use it as a relay for spam.

Encryption is another matter. I use Mozilla Thunderbird as my email
client and my choices for security are "None", "TLS" and "SSL". "None"
is obvious. "TLS" is a type of encryption which uses the original SMTP
protocol and a non-secure connection to initiate contact with the MTA.
Then, it upgrades the conversation using the STARTTLS command and the
client and server trade authentication information securely (i.e. using
encryption). "SSL" uses standard SMTP (I think) over an SSL connection,
so the entire connection is encrypted, instead of just the authentication=
=2E

Encryption ensures that nobody uses a packet sniffer to see your
cleartext password, which is especially important if your MTA is several
hops away from you on your network.

> Also, slightly off topic (sorry)... in a situation where spammers=20
> emails are spoofed as coming from 'my' domain, does limiting relays
> to my domain alone still prevent spammers from using my SMTP server?

You can stop spammers from actually using your SMTP server by requiring
authentication in order to relay mail. However, a spammer can always use
someone else's (poorly-configured) MTA to forge emails from your domain.
There's nothing you can do about this.

> I'm not sure about that and this is the main reason I want to setup=20
> SMTP auth.

SMTP auth will prevent spammers from using your MTA. Encryption will
(help to) prevent anyone from stealing your auth info
(username/password). Together, these should solve (or prevent) these
problems.

-chris



--------------enig31E8E4BA491A19F8388F3767
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD9Jcg9CaO5/Lv0PARAh5MAJ9BC5fktjKKUQepKZS4p1gRFG889wCcDx3N
KqZ/WiM4C76690gprcuRkwQ=
=S7Gz
-----END PGP SIGNATURE-----

--------------enig31E8E4BA491A19F8388F3767--