Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Implement SMTP Auth in a non-disruptive way?

1 view
Skip to first unread message

Peter Tselios

unread,
Feb 8, 2012, 8:57:59 AM2/8/12
to
Hallo,

So far I have not implemented SMTP Auth for various reasons (on of them was the fact that I had no Postfix installed). Anyway, I would like to implement it, but since I have a relatively large base (>200K emails), I would like to do it in a non-disruptive way. I was thinking to implement something like a "bounce" message for each outgoing mail without authentication. That message will not stop the delivery of the email, but it will, simply, inform unauthenticated users about the fact that in a few days they will be forced to do so. 
When D-day comes, I would like to return to unauthenticated users a custom DSN, not the build-in error.

Is there any way to do it? If not, is there any other way to do it?
B/R

P.

Reindl Harald

unread,
Feb 8, 2012, 9:07:40 AM2/8/12
to
this is not possible

postfix has SASL active or not
postfix rejectes a message or not

and no, it makes no sense "a custom DSN, not the build-in error" because you
have to reject a message that you will not accept

how have this worked before?
all users from machines in "mynetworks"
if not you have a open relay if the machine is connected to the internet

signature.asc

Larry Stone

unread,
Feb 8, 2012, 9:32:38 AM2/8/12
to
On Wed, 8 Feb 2012, Peter Tselios wrote:

> So far I have not implemented SMTP Auth for various reasons (on of them
> was the fact that I had no Postfix installed). Anyway, I would like to
> implement it, but since I have a relatively large base (>200K emails), I
> would like to do it in a non-disruptive way. I was thinking to implement
> something like a "bounce" message for each outgoing mail without
> authentication. That message will not stop the delivery of the email,
> but it will, simply, inform unauthenticated users about the fact that in
> a few days they will be forced to do so.  When D-day comes, I would like
> to return to unauthenticated users a custom DSN, not the build-in error.
>
> Is there any way to do it? If not, is there any other way to do it?

I this is a good spot for the standard response of "please don't tell us
what your proposed solution is, please tell us what is the problem you are
trying to solve". In other words, why do you suddenly need SMTP AUTH (and
I'm assuming here you want it even for clients in $mynetworks) and what
is the problem you think making it required will solve?

-- Larry Stone
lsto...@stonejongleux.com

Jose Ildefonso Camargo Tolosa

unread,
Feb 8, 2012, 10:49:32 PM2/8/12
to
Greetings,

Reindi, search through postfix docs for that:

+ permit_sasl_authenticated
+ permit_mynetworks (play with the mynetworks definition, so,
initially you allow all mail from your local network, and when *all*
of your users moved to new authenticated schema, you just removed
local network from here)

That one is not so important, but I have found it really useful in my
environment:

+ reject_authenticated_sender_login_mismatch (this is an interesting
one, that you can later replace with: reject_sender_login_mismatch ...
now, I use LDAP with all of this).

I am a little in a hurry now, but if you read the docs you may get the idea.

I hope this helps,

Ildefonso Camargo.

Reindl Harald

unread,
Feb 8, 2012, 10:59:32 PM2/8/12
to
first it was not me having a problem with SMTP Auth

second all of this doe snot help in the strange wishes of the OP
which are making no sense at all, below quoted again

please do not read only the subject!
_______________________________________-

this is what i meant with "making no sense at all"
signature.asc

Peter Tselios

unread,
Feb 9, 2012, 2:13:43 AM2/9/12
to
Well,

There are a number of reasons. Like for example, stopping emails from non-existed users, or stopping email bombing from "zombie" PCs. 

The majority of emails in the queues of my MTA is backscatter and one of the ways to reduce it is SMTP Auth.

More important thought is the need to enable access to the MTA from other networks too, so, I need the SMTP AUTH. 


----- Αρχικό μήνυμα -----
Απο: Larry Stone <lsto...@stonejongleux.com>
Προς: Peter Tselios <s91...@yahoo.gr>
Κοιν.: Postfix Users <postfi...@postfix.org>
Στάλθηκε: 4:32 μ.μ. Τετάρτη, 8 Φεβρουαρίου 2012
Θεμα: Re: Implement SMTP Auth in a non-disruptive way?

On Wed, 8 Feb 2012, Peter Tselios wrote:

> So far I have not implemented SMTP Auth for various reasons (on of them was the fact that I had no Postfix installed). Anyway, I would like to implement it, but since I have a relatively large base (>200K emails), I would like to do it in a non-disruptive way. I was thinking to implement something like a "bounce" message for each outgoing mail without authentication. That message will not stop the delivery of the email, but it will, simply, inform unauthenticated users about the fact that in a few days they will be forced to do so.  When D-day comes, I would like to return to unauthenticated users a custom DSN, not the build-in error.

Peter Tselios

unread,
Feb 9, 2012, 2:27:40 AM2/9/12
to
Well, I believe you meaning: reject_unauthenticated_sender_login_mismatch.
I tried that on my test env, but I did not add the permit_sasl_authenticated and I had issues. Now, it's better, thanks!

I still need the "DSN" style message back for those users and I hope to have some ideas.

----- Αρχικό μήνυμα -----
Απο: Jose Ildefonso Camargo Tolosa <ildefons...@gmail.com>
Προς: Postfix Users <postfi...@postfix.org>
Κοιν.:
Στάλθηκε: 5:49 π.μ. Πέμπτη, 9 Φεβρουαρίου 2012


Θεμα: Re: Implement SMTP Auth in a non-disruptive way?

Greetings,

Reindi, search through postfix docs for that:

+ permit_sasl_authenticated
+ permit_mynetworks  (play with the mynetworks definition, so,
initially you allow all mail from your local network, and when *all*
of your  users moved to new authenticated schema, you just removed
local network from here)

That one is not so important, but I have found it really useful in my
environment:

+ reject_authenticated_sender_login_mismatch  (this is an interesting
one, that you can later replace with: reject_sender_login_mismatch ...
now, I use LDAP with all of this).

I am a little in a hurry now, but if you read the docs you may get the idea.

I hope this helps,

Ildefonso Camargo.


Larry Stone

unread,
Feb 9, 2012, 6:26:28 AM2/9/12
to
Please do not top-post on this list.

I wrote:
> I this is a good spot for the standard response of "please don't tell us what your proposed solution is, please tell us what is the problem you are trying to solve". In other words, why do you suddenly need SMTP AUTH (and I'm assuming here you want it even for clients in $mynetworks) and what is the problem you think making it required will solve?

Peter Tselios replied:
> Well,
>
> There are a number of reasons. Like for example, stopping emails from non-existed users, or stopping email bombing from "zombie" PCs.
>
> The majority of emails in the queues of my MTA is backscatter and one of the ways to reduce it is SMTP Auth.
Backscatter is a symptom of another problem. Fix that problem rather than trying to block the symptom.

> More important thought is the need to enable access to the MTA from other networks too, so, I need the SMTP AUTH.


How does that affect hosts in $mynetworks? You can have SMTP AUTH turned on but still allow unauthenticated mail from hosts within $mynetworks.

--
Larry Stone
lsto...@stonejongleux.com
http://www.stonejongleux.com/

Jose Ildefonso Camargo Tolosa

unread,
Feb 9, 2012, 12:45:13 PM2/9/12
to
Uh.... sorry Rendi!

As I said: I was in a hurry, I didn't mean to direct the answer to
you! It should go to Peter (I took the wrong name).

Anyway, I don't have the original OP message (I don't know why, I just
don't have it), so, I answered with what I have, and based on my
experience: with these directives, you can implement a
"person-by-person" migration, ie: within "internal network", SMTP auth
would be optional, thus allowing you to have a mixed environment (some
people with auth, some people without auth). No, this won't generate
the message he wants, but allows you to slowly adopt the SMTP
authentication, without disrupting current users.

About the "bounce" message (which would not be exactly a bounce), I
would have to think more about it, but I bet there are ways of doing
it.... However, I think it is better that he just send out massive
email to his 200k users telling them that they should update their
configuration to use SMTP authentication, and that starting X date,
unauthenticated mails will be rejected, and repeat the message some
times (once a week for a month, for example). That'd be simple to do,
and should work.

Sincerely,

Ildefonso Camargo

On Wed, Feb 8, 2012 at 11:29 PM, Reindl Harald <h.re...@thelounge.net> wrote:
>
>
> Am 09.02.2012 04:49, schrieb Jose Ildefonso Camargo Tolosa:
>> Greetings,
>>
>> Reindi, search through postfix docs for that:
>>
>> + permit_sasl_authenticated
>> + permit_mynetworks  (play with the mynetworks definition, so,
>> initially you allow all mail from your local network, and when *all*
>> of your  users moved to new authenticated schema, you just removed
>> local network from here)
>>
>> That one is not so important, but I have found it really useful in my
>> environment:
>>
>> + reject_authenticated_sender_login_mismatch  (this is an interesting
>> one, that you can later replace with: reject_sender_login_mismatch ...
>> now, I use LDAP with all of this).
>>
>> I am a little in a hurry now, but if you read the docs you may get the idea.
>> I hope this helps
>
> first it was not me having a problem with SMTP Auth
>
> second all of this doe snot help in the strange wishes of the OP
> which are making no sense at all, below quoted again
>
> please do not read only the subject!
> _______________________________________-
>
> this is what i meant with "making no sense at all"
>
0 new messages