Secure mail relays [was:RE: DOJ proposes US data-rentention law. ]

[RL 'Bob' Morgan]

On Sat, 22 Jun 2002, Lucky Green wrote:

> I am limiting relaying on port 25 smtp to authorized users by using
> Cyrus-SASL, which integrates cleanly with postfix + TLS as the MTA.
> Since Outlook only provides the plaintext variant of SASL
> authentication, my MTA is configured to not offer smtp AUTH as an option
> until after the TLS connection has been established to prevent
> eavesdroppers from capturing the relaying authentication password.

We run the main MTA for my university this way (of course it will relay
without authentication if the client source address is within the
university IP ranges), using sendmail and cyrus-sasl.  It's my impression
that many US universities are starting to do this.  We started it as a
one-off MTA handling submission of mail for travelers, then realized that
the regular MTA could just provide this service.  It also does Kerberos
authentication, which I use (though not many MUAs support it).

> Since more and more misguided ISP's are flat out blocking outgoing
> connections to port 25 from inside their network, I have postfix
> listening at a higher port number in addition to port 25, just as many
> hosts today are running sshd on several ports to help compensate for
> similarly misguided corporate firewall policies.

The obvious port is 587, the "submission" port (see RFC 2476), which in
fact is the one that MUAs "should" use, rather than 25 (we support it, I'm
submitting this mail using it, via my home ISP).  Of course if it actually
becomes popular those misguided ISPs will block it too ...

 - RL "Bob"



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com