From owner-freebsd-questions@FreeBSD.ORG Sun Mar 24 16:50:17 2013 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 0567AE28 for ; Sun, 24 Mar 2013 16:50:17 +0000 (UTC) (envelope-from gobble.wa@gmail.com) Received: from mail-bk0-x234.google.com (mail-bk0-x234.google.com [IPv6:2a00:1450:4008:c01::234]) by mx1.freebsd.org (Postfix) with ESMTP id 94B66661 for ; Sun, 24 Mar 2013 16:50:16 +0000 (UTC) Received: by mail-bk0-f52.google.com with SMTP id it16so124563bkc.25 for ; Sun, 24 Mar 2013 09:50:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=7qQkZLc0GHcVz5IK7hK+Vm0WcXWLqz9IuJQ36TlyLBM=; b=BWdonpJxIY19qFTrsj5pkZFTPLNAvTcbJpNHRs+UqRzb8vOKKGZZ4SJgBUKx9N0U3l SvGW1YneJEfS8IxajghogHvgy0iqimnggbHiWhn4NOGwe4WQXJiiRb0GRVt9KRdCRBLu +kSNlaBZQ/r3T+7yVnJs5uSZDLVteT6SWS34rCDfqLxtkJOFyS/undcramkuziBdzSXq mRatkPxWtKgDQynyMFhPjZ06/i13bauxAudVt+S/6ltscqdAcAK1MdauRJQezrRhvBcg dQXDuwcQXzzh9L+bwVefOBgG7U3Ph6B81hy0qryA7uWes5/KiOY7Q9TKSkPA/muE8JzI 1yng== MIME-Version: 1.0 X-Received: by 10.204.188.81 with SMTP id cz17mr4068360bkb.91.1364143815586; Sun, 24 Mar 2013 09:50:15 -0700 (PDT) Received: by 10.204.25.207 with HTTP; Sun, 24 Mar 2013 09:50:15 -0700 (PDT) In-Reply-To: <21ECABE0-0946-469F-8A6C-08194571A8D9@lafn.org> References: <21ECABE0-0946-469F-8A6C-08194571A8D9@lafn.org> Date: Sun, 24 Mar 2013 09:50:15 -0700 Message-ID: Subject: Re: Client Authentication From: Waitman Gobble To: Doug Hardie Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: "freebsd-questions@freebsd.org List" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Mar 2013 16:50:17 -0000 On Sun, Mar 24, 2013 at 1:25 AM, Doug Hardie wrote: > > On 24 March 2013, at 01:10, Waitman Gobble wrote: > > > > > > > You might consider disabling external smtp auth service and using ssh > tunnel to server to connect to mail. Also provide web based convenience > service. > > I am not convinced that a ssh tunnel is going to be easy for my users. We > do provide a web based mail client, but I wouldn't describe it as > convenient. I find it a pain in the neck, but so many users requested it > that we provide it. It is password authenticated but so slow it will never > be attacked with password guessing. > One idea is to run a different server process on 25 which does not do SMTP AUTH,, then run SMTP AUTH on 465 or 587. I don't really see a reason to advertise SMTP AUTH on 25, for some reason all mail servers seem to do AUTH on all ports or none. Maybe there is a way to configure SMTP AUTH only on certain ports, one way I can think of is to run two processes with two configs. If some people are specifically attacking your service this may not be optimal, but if it's script kiddies scanning servers on port 25 this might discourage them. Another thought is to modify the SMTP server to allow one or two failed attempts then lock the account. IRL people set up their password into their email program and don't type it in all the time, or in the case of web mail they make their browser remember it. There isn't a good reason I can think of to allow 100 failed SMTP AUTH attempts. This concept would have to be tweaked a bit to balance customer service demand. You could also use the age of the account to determine the number of failed attempts, newer accounts might get 10 failed attempts, for example. Or you could disable SMTP auth altogether and make a little program that sets up a tunnel. Here's an ssh library that's BSD licensed http://www.libssh2.org/examples/tcpip-forward.html I think you can decide how much user intervention is needed for port forwarding. IT could be something like the user has to have the service installed on their machine, or it's a 'click for email' type thing. A little program that sets up the tunnel behind the scenes. It takes a day or two of front end programming but might be a good solution that works on unix/mac/linux/ms machines. You can have your SMTP AUTH service listening only on localhost. Handheld devices might become a challenge. > > > > > It might be interesting to encrypt mail to the user's cloud service that > operates in a gpg zone. I think this operation could be mostly transparent > to the user, so kids and granpamas can use it without concern. > > This one I don't understand. Can you provide pointers to this type of > service? Sorry I don't have any pointers, it was an idea last night. The concept is that users have 'cloud' accounts, email is encrypted to their account, perhaps (off the top of my head) in a fashion similar to the way friendica works.(it's not working with cloud systems, but it encrypts information to individual users, this could be analyzed for ideas for a cloud based system). This kind of solution might take a week of programming to set up, so it's more work on the front end. If you have some archival requirement or need to parse/key or otherwise analyze messages, in that scenario you would have to copy the message I think. -- Waitman Gobble San Jose California USA 510-830-7975