Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
Re: [SLE] SMTP authentication was re:[SLE] mail sending and Postfix was OT: Posting from another unsubscribed address for a subscriber?
  • From: Sandy Drobic <suse-linux-e@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 27 Apr 2006 22:36:26 +0200
  • Message-id: <44512B4A.20203@xxxxxxxxxxxxxxxxxxxxxxx>
Hylton Conacher (ZR1HPC) wrote:
Carlos E. R. wrote:

The first SMTP sever may ask questions, of course. Any SMTP server in the chain, except the one of the destination address may ask for authentication of some sort; ie, your ISP SMTP server may ask for it, because it will _relay_ your mail to somebody else......

OK, understood. What tyoe of authentication could a SMTP server say 3 down the line ask for? Would its request be answered by the second SMTP server or would SMTP-3 try and contact the original dialup server which may not be currently connected?

Authentication, when it is required, will alway happen between the server that currently has the mail and the server that is contacted to receive the mail.

Let's just use an example how a mail will progress when you send it off at your company:

Your mailclient is configured to send all mails to the mailserver of the department/company. Your mailclient uses your username/password to authenticate to the company mailserver.

Now the company mailserver does not have the right to send the mail directly to the internet. Only the mailgateway is allowed by the firewall to send directly to the internet. So the company mailserver sends the mail to the mailgateway. In order to prevent other clients in the company from sending directly to the mailgateway, the mailgateway also is configured to require authentication to relay mails. So the company mailserver authenticates itself to the mailgateway using his own user/password or maybe a client certificate. This authentication has nothing to do with how you authenticate to the company mailserver.

The mailgateway could be configured to send the mail either to the ISP mailserver or directly to the next mailserver that is responsible for the recipients domain. When it uses the ISP mailserver as relay it might have to authenticate again with an independent user/pass to authenticate itself (the mailgateway) to the ISP mailserver.

How many hops the mail has to pass within the recipients internal network is another question. There could also be several mailservers involved which might ask for authentication.

I admit this is going a bit overboard with the authentication but it could happen nevertheless.



Time to visit an inet cafe and Google SMTP authentication methods.


...........Also, if to tell Mozilla to send the email you write on the gmail account through gmail smtp server (bypassing your ISP smtp server), this will also request some ID.


It would be rare that the second server asked for ID, but it could happen: for instance, in a private network users send to a certain local SMTP server. This one sends to another one on their ISP, who request auth from the private server (but not from the user: that is impossible).
Right, so if I understand correctly, having my own local SMTP server might not alleiate the problems I am experiencing now as again the email FROM header is different to te dialup connection account, and they would have to be the same for the ISP SMTP server to accept it
OR
As the ISP SMTP server is receiving mail from another SMTP server(my local one) will it not authenticate each email sent on te above criteria but do it another way?

I don't know what you are trying to say. (^-^)
The easiest way to test it is to set up several mail accounts in your mailclient and configure each account to send with the same user/pass to your ISP mailserver.

Are they all accepted or is the ISP mailserver refusing some sender addresses?

The method used for authentication varies. An ISP can simply validate by the IP number you use. Or, it can also see that you retrieved email from them, say, three minutes ago from this IP (POP before SMTP). Or it can ask for a login/password pair.

Are these methods also used if the sender is a SMTP server or are different criteria used? ie see above just below OR.

Which restrictions are used mostly depends on what kind of recipient address the email has. I'll give you a Postfix example:

Your server has the following configuration:

mydestination = example.org
mynetworks = 192.168.1.0/24
smptd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
permit

Now, a client in your internal network with the ip 192.168.1.15 connects to your server and wishes to send an email to user@xxxxxxxxxxxxxxxx
Postfix examines the restrictions and evaluates one restriction check after another if a check is returning a value of either "OK, PERMIT" or "REJECT".

The first check in smtpd_recipient_restriction is "permit_mynetworks". It checks, if the connecting client is in the same network as has been defined in mynetworks. In this case, the client is indeed within the network 192.168.1.0/24, so the check returns "OK" and the mail is accepted. No other checks need to be evaluated.

Next, a client with the ip address 80.242.23.16 connects from the internet to your server and wants to send an email to unknown@xxxxxxxxxxxxxxxxxxx

Postfix first checks again "permit_mynetworks". This time the check comes up empty because the client ip is NOT in mynetworks. So Postfix tries the next check: permit_sasl_authenticated. Well, the client did not authenticate, so this check also returns an empty result. The next check, "reject_unauth_destination" evaluates if the recipient address is in a domain that Postfix is responsible for, otherwise it returns "REJECT" as result.
In this case, the domain somewhere-else.org is not in mydestination, so the check returns "REJECT" and the mail is rejected.

What kind of restriction checks are configured for a mailserver is completely up to you and your requirements.

In other words: SMTP servers that relay email to some other smtp server should normally use some kind of authentications. Those servers of the destination address will not.
OK understood that any of the SMTP servers can request authentication, except the destination SMTP server.

Another clarification: The minimum is two smtp servers in the chain. One gets the email from you, the other one receives it for the addressee. Depending on the setup, there can be intermediaries on both sides. Each one normally adds a "Received" header to the email, and you can read them (try: it is instructive).

mmm, I've seen email headers and understand this. What i didn't know was that there are normally only a maximum of 2 SMTP servers ie sender and receiver.

Normally there is a minimum of two servers. Though here's an example where only one server is involved:

Your mailclient is sending to the isp mailserver, The recipient's maildomain is also hosted on that server, so the server directly delivers the mail to the mailbox of the recipient, end of story. (^-^)

If the recipient's maildomain is not hosted on the server that you used to send your mail to, then the mail will have to be send at least to another server.

Sandy

--
List replies only please!
Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com

< Previous Next >