The qpopper list archive ending on 10 Feb 2003
Topics covered in this issue include:
1. Re: newbie problem
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Thu, 6 Feb 2003 01:34:17 -0500
2. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 08:39:08 -0500 (EST)
3. Re: Relaying Denied
The Little Prince <thelittleprince at asteroid-b612 dot org>
Thu, 6 Feb 2003 05:44:43 -0800 (PST)
4. Re: Relaying Denied
Daniel Senie <dts at senie dot com>
Thu, 06 Feb 2003 09:17:36 -0500
5. RE: Relaying Denied
"Morgan A. Miskell" <mormis at caro dot net>
Thu, 6 Feb 2003 09:30:17 -0500
6. Re: Relaying Denied
Ken Hohhof <ken at mixedsignal dot com>
Thu, 06 Feb 2003 07:51:53 -0600
7. [Fwd: Relaying Denied]
"Judith A. Young" <csjay at eiu dot edu>
Thu, 06 Feb 2003 08:31:56 -0600
8. Re: Relaying Denied
"Ken Hohhof" <ken at mixedsignal dot com>
Thu, 6 Feb 2003 08:49:01 -0600
9. RE: Relaying Denied
Daniel Senie <dts at senie dot com>
Thu, 06 Feb 2003 10:14:06 -0500
10. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 10:41:11 -0500 (EST)
11. Re: Relaying Denied
John Rudd <jrudd at ucsc dot edu>
Thu, 6 Feb 2003 08:00:01 -0800
12. Re: Relaying Denied
"Alan W. Rateliff, II" <lists at rateliff dot net>
Thu, 6 Feb 2003 12:09:25 -0500
13. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 10:56:49 -0500 (EST)
14. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 15:53:57 -0500 (EST)
15. Re: Relaying Denied
"Ken Hohhof" <ken at mixedsignal dot com>
Thu, 6 Feb 2003 15:19:43 -0600
16. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 16:31:49 -0500 (EST)
17. Re: Relaying Denied
"steve" <steve at chesint dot net>
Thu, 6 Feb 2003 19:02:54 -0500
18. Re: Relaying Denied
Daniel Senie <dts at senie dot com>
Thu, 06 Feb 2003 16:36:32 -0500
19. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 19:06:56 -0500 (EST)
20. Re: Relaying Denied
Ted Cabeen <ted at impulse dot net>
Thu, 06 Feb 2003 16:10:35 -0800
21. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Thu, 6 Feb 2003 19:13:49 -0500 (EST)
22. Newbie need help!!!
"yong" <yong80 at oikose dot com>
Fri, 7 Feb 2003 10:43:46 +0800
23. Qpopper 4.0.5b2 available
Randall Gellens <randy at qualcomm dot com>
Thu, 6 Feb 2003 18:23:48 -0800
24. Re: Relaying Denied
Daniel Senie <dts at senie dot com>
Thu, 06 Feb 2003 16:39:30 -0500
25. Re: Relaying Denied
Randall Gellens <randy at qualcomm dot com>
Thu, 6 Feb 2003 21:49:55 -0800
26. Re: Relaying Denied
Randall Gellens <randy at qualcomm dot com>
Thu, 6 Feb 2003 21:56:31 -0800
27. Re: Relaying Denied
Len Conrad <LConrad at Go2France dot com>
Thu, 06 Feb 2003 20:29:42 -0600
28. Re: Relaying Denied
Len Conrad <LConrad at Go2France dot com>
Thu, 06 Feb 2003 20:27:22 -0600
29. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Fri, 7 Feb 2003 04:49:39 -0500 (EST)
30. Re: Relaying Denied
Robert Brandtjen <rob at prometheusmedia dot com>
Fri, 7 Feb 2003 08:10:02 -0600
31. Re: Relaying Denied
"Alan W. Rateliff, II" <lists at rateliff dot net>
Fri, 7 Feb 2003 01:04:48 -0500
32. Re: Relaying Denied
The Little Prince <thelittleprince at asteroid-b612 dot org>
Thu, 6 Feb 2003 18:59:37 -0800 (PST)
33. Re: Relaying Denied
Robert Brandtjen <rob at prometheusmedia dot com>
Thu, 6 Feb 2003 23:48:37 -0600
34. Re: Newbie need help!!!
Randall Gellens <randy at qualcomm dot com>
Fri, 7 Feb 2003 11:36:07 -0800
35. Re: Relaying Denied
Mark <admin at asarian-host dot net>
Sat, 8 Feb 2003 01:20:04 +0100
36. Re: Relaying Denied
Ken Hohhof <ken at mixedsignal dot com>
Fri, 07 Feb 2003 22:55:35 -0600
37. Re: confirmation
Cliff Sarginson <cls at raggedclown dot net>
Sun, 9 Feb 2003 11:29:44 +0100
38. Re: Relaying Denied
Robert Brandtjen <rob at prometheusmedia dot com>
Fri, 7 Feb 2003 13:28:12 -0600
39. Re: Relaying Denied
Cliff Sarginson <cls at raggedclown dot net>
Sun, 9 Feb 2003 12:28:04 +0100
40. Re: Qpopper 4.0.5b2 available
Randall Gellens <randy at qualcomm dot com>
Fri, 7 Feb 2003 21:12:23 -0800
41. Re: Relaying Denied
Alan Brown <alanb at digistar dot com>
Sun, 9 Feb 2003 11:43:01 -0500 (EST)
42. Re: Relaying Denied
Mark <admin at asarian-host dot net>
Sun, 9 Feb 2003 14:57:21 +0100
43. Re: Relaying Denied
Ken Hohhof <ken at mixedsignal dot com>
Sun, 09 Feb 2003 10:37:56 -0600
44. Re: Relaying Denied
Chip Old <fold at bcpl dot net>
Sun, 9 Feb 2003 18:41:23 -0500 (EST)
45. Re: confirmation
Cliff Sarginson <cls at raggedclown dot net>
Mon, 10 Feb 2003 01:05:22 +0100
46. Re: Relaying Denied
John Rudd <jrudd at ucsc dot edu>
Sun, 9 Feb 2003 15:48:40 -0800
47. Re: Relaying Denied
Mark <admin at asarian-host dot net>
Sat, 8 Feb 2003 01:30:16 +0100
48. A long message on spam and viruses [ was Re: Relaying Denied ]
Cliff Sarginson <cls at raggedclown dot net>
Mon, 10 Feb 2003 06:18:11 +0100
49. expecting SMTP AUTH (Re: Relaying Denied)
Chuck Yerkes <chuck+qpopper at yerkes dot com>
Mon, 10 Feb 2003 02:37:05 -0500
50. Re: confirmation
Randall Gellens <randy at qualcomm dot com>
Sun, 9 Feb 2003 15:13:32 -0800
Date: Thu, 6 Feb 2003 01:34:17 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: Re: newbie problem
And can you stop sending HTML messages to the list.
There are those of us who don't read mail with
browsers....
I'll presume that if you don't need an SMTP server,
you're using UUCP?
Quoting Sujith Mathew (sujithjm at hotpop dot com):
Date: Thu, 6 Feb 2003 08:39:08 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Wed, 5 Feb 2003, Donald Clouse wrote:
> Thank you. Do you know where I could get info on how to configure the
> POP-before-SMTP solution? I am running sendmail.
Don't. Pop-before-smtp is an ugly hack which was only really implemented
as a quick workaround kludge until smtp auth was developed, standardised
and widely available.
Almost every mail client out there now supports SMTP AUTH (+SSL). Use it.
Date: Thu, 6 Feb 2003 05:44:43 -0800 (PST)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: Relaying Denied
On Wed, 5 Feb 2003, Daniel Senie wrote:
> posting, your users are using Outlook or Outlook Express. Both support SMTP
> AUTH just fine, so use it! You turn it on by clicking a check box on the
> Servers config tab that says "my server requires authentication." The
> default settings work.
>
i agree with the SMTP AUTH statements. be aware, if you're on a system
that uses Norton AV, this has a habit of not letting AUTH work with the
defaults. Default being for it to use the pop3 username/password. You have
to actually "specify" your username/password. It won't assume it from your
incoming authentication. But just with Norton AV, as i've seen and heard
about so far.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
> >Thanks Again.
> >Don
> >----- Original Message -----
> >From: "Aleksandr Melentiev" <alex at myzona dot net>
> >To: "Donald Clouse" <tfug at hotmail dot com>; "Subscribers of Qpopper"
> ><qpopper at lists.pensive dot org>
> >Sent: Wednesday, February 05, 2003 6:37 PM
> >Subject: Re: Relaying Denied
> >
> >
> > > Hello,
> > >
> > > This is not qpopper's fault. The user is trying to send email using your
> > > SMTP server on that box (such as sendmail or postfix) and it prohibits
> >users
> > > from sending mail remotely for security reasons. If this is an issue and
> >you
> > > would like to let users send email via your server, consider setting up
> > > some kind of authnetication... most popular choices would be
> >POP-before-SMTP
> > > system and SMTP AUTH.
> > >
> > > Hope this helps.
> > > Alex.
> > >
> > > ----- Original Message -----
> > > From: Donald Clouse
> > > To: Subscribers of Qpopper
> > > Sent: Wednesday, February 05, 2003 4:48 PM
> > > Subject: Relaying Denied
> > >
> > >
> > > Hello All,
> > > I have qpopper running on a RH 8.0 linux box.
> > > When one of the pop3 users comes into the box to check their email they
> >get
> > > the message:
> > >
> > > Server: IP Address Port 25 SMTP Server error 550 5.7.1
> > > Relaying Denied Secure SSL Server error 550
> > > Err 0x800cc79
> > >
> > > Any Ideas on why a user on the box would be denied the sending of any
> > > outgoing email?
> > >
> > > Thank You.
> > >
> > > Don
> > >
>
>
--
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Date: Thu, 06 Feb 2003 09:17:36 -0500
From: Daniel Senie <dts at senie dot com>
Subject: Re: Relaying Denied
At 08:44 AM 2/6/2003, The Little Prince wrote:
>On Wed, 5 Feb 2003, Daniel Senie wrote:
>
> > posting, your users are using Outlook or Outlook Express. Both support
> SMTP
> > AUTH just fine, so use it! You turn it on by clicking a check box on the
> > Servers config tab that says "my server requires authentication." The
> > default settings work.
> >
>
>i agree with the SMTP AUTH statements. be aware, if you're on a system
>that uses Norton AV, this has a habit of not letting AUTH work with the
>defaults. Default being for it to use the pop3 username/password. You have
>to actually "specify" your username/password. It won't assume it from your
>incoming authentication. But just with Norton AV, as i've seen and heard
>about so far.
Very good point.
Norton AV, and other email filtering and handling products which interpose
themselves in as proxy servers in this way are really useless products.
They fail to implement lots of features of POP (e.g. TLS) and create
serious support headaches. Products which wish to filter spam or viruses
REALLY should be built to "plug in" to mail clients via APIs. Other vendors
get this right.
While I use Norton for virus scanning myself, I keep the email scanning
disabled (I provide Antivirus in my mail server anyway, and have other
protections on my client, so I'm covered). This poorly designed component
really hurts an otherwise decent product offering.
From: "Morgan A. Miskell" <mormis at caro dot net>
Subject: RE: Relaying Denied
Date: Thu, 6 Feb 2003 09:30:17 -0500
Clarification on that, the default settings will work with Qpopper if
you
are just sending userid. If you have Qpopper ignoring the domains (like
I
do) and the users are sending login at domain dot com, then smtp auth will fail
(unless you add a hack), the users will need to send only login and
password
(no domain)
-----Original Message-----
From: Daniel Senie [mailto:dts at senie dot com]
Sent: Wednesday, February 05, 2003 11:13 PM
To: Donald Clouse; Subscribers of Qpopper
Subject: Re: Relaying Denied
At 09:06 PM 2/5/2003, Donald Clouse wrote:
>Alex,
>Thank you. Do you know where I could get info on how to configure the
>POP-before-SMTP solution? I am running sendmail.
>
>I can both POP and SMTP on the LAN but someone coming in outside the
lan
>fails......is this sheds any further light on my problem.
I'd urge you to first try to implement SMTP AUTH. While the
smtp-after-pop
approach does function, users do not "get it" very well, and you'll get
lots of support calls. Based on your error message in your original
posting, your users are using Outlook or Outlook Express. Both support
SMTP
AUTH just fine, so use it! You turn it on by clicking a check box on the
Servers config tab that says "my server requires authentication." The
default settings work.
>Thanks Again.
>Don
>----- Original Message -----
>From: "Aleksandr Melentiev" <alex at myzona dot net>
>To: "Donald Clouse" <tfug at hotmail dot com>; "Subscribers of Qpopper"
><qpopper at lists.pensive dot org>
>Sent: Wednesday, February 05, 2003 6:37 PM
>Subject: Re: Relaying Denied
>
>
> > Hello,
> >
> > This is not qpopper's fault. The user is trying to send email using
your
> > SMTP server on that box (such as sendmail or postfix) and it
prohibits
>users
> > from sending mail remotely for security reasons. If this is an issue
and
>you
> > would like to let users send email via your server, consider
setting up
> > some kind of authnetication... most popular choices would be
>POP-before-SMTP
> > system and SMTP AUTH.
> >
> > Hope this helps.
> > Alex.
> >
> > ----- Original Message -----
> > From: Donald Clouse
> > To: Subscribers of Qpopper
> > Sent: Wednesday, February 05, 2003 4:48 PM
> > Subject: Relaying Denied
> >
> >
> > Hello All,
> > I have qpopper running on a RH 8.0 linux box.
> > When one of the pop3 users comes into the box to check their email
they
>get
> > the message:
> >
> > Server: IP Address Port 25 SMTP Server error 550 5.7.1
> > Relaying Denied Secure SSL Server error 550
> > Err 0x800cc79
> >
> > Any Ideas on why a user on the box would be denied the sending of
any
> > outgoing email?
> >
> > Thank You.
> >
> > Don
> >
Your ISP has scanned this email for Viruses and Spam Control.
Your ISP has scanned this email for Viruses and Spam Control.
Date: Thu, 06 Feb 2003 07:51:53 -0600
From: Ken Hohhof <ken at mixedsignal dot com>
Subject: Re: Relaying Denied
>Alex,
>Thank you. Do you know where I could get info on how to configure the
>POP-before-SMTP solution? I am running sendmail.
>
>I can both POP and SMTP on the LAN but someone coming in outside the lan
>fails......is this sheds any further light on my problem.
Try http://sourceforge.net/projects/poprelay
Date: Thu, 06 Feb 2003 08:31:56 -0600
From: "Judith A. Young" <csjay at eiu dot edu>
Subject: [Fwd: Relaying Denied]
--------------8508FAFB70310648EFB9BFD7
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello,
I recently installed DRAC on my sendmail host (solaris 2.8). Seems to
work find. You can learn more about this at
http://mail.cc.umanitoba.ca/drac/
Judy Young
EIU Unix Services
--------------8508FAFB70310648EFB9BFD7
Content-Type: message/rfc822
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Received: (from mailnull@localhost)
by ux1.cts.eiu.edu (8.10.2+Sun/8.10.2) id h1644nT16859
for csjay at ux1.cts.eiu dot edu; Wed, 5 Feb 2003 22:04:49 -0600 (CST)
X-Authentication-Warning: ux1.cts.eiu.edu: mailnull set sender to Qpopper-errors at lists.pensive dot org using -f
Received: from turing.pensive.org (turing.pensive.org [66.27.56.122])
by ux1.cts.eiu.edu (8.10.2+Sun/8.10.2) with ESMTP id h1644kv16817
for <csjay at eiu dot edu>; Wed, 5 Feb 2003 22:04:46 -0600 (CST)
Received: from hotmail.com (64.4.16.83) by turing.pensive.org with ESMTP
(Eudora Internet Mail Server 3.2b4) for <qpopper at lists.pensive dot org>;
Wed, 5 Feb 2003 18:06:33 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
Wed, 5 Feb 2003 18:06:08 -0800
X-Originating-IP: [208.1.31.212]
X-PH: V4 dot 4@ux1
From: "Donald Clouse" <tfug at hotmail dot com>
To: "Aleksandr Melentiev" <alex at myzona dot net>,
"Subscribers of Qpopper" <qpopper at lists.pensive dot org>
References: <876268557498395170843 at lists.pensive dot org> <000601c2cd80$5909d600$0300a8c0@kronos>
Subject: Re: Relaying Denied
Date: Wed, 5 Feb 2003 19:06:07 -0700
Errors-To: List Administrator <Qpopper-errors at lists.pensive dot org>
Precedence: bulk
List-Subscribe: <mailto:qpopper-request at lists.pensive dot org?body=subscribe>
List-Unsubscribe: <mailto:qpopper-request at lists.pensive dot org?body=unsubscribe>
List-Archive: <http://www.pensive.org/mailing_lists/archives/qpopper/>
List-Post: <mailto:qpopper at lists.pensive dot org>
List-Owner: Pensive Mailing List Admin <listmaster at lists.pensive dot org>
List-Help: http://www.pensive.org/Mailing_Lists/
List-Id: <QPopper.lists.pensive.org>
List-Software: AutoShare 4.2.3 by Mikael Hansen
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-OriginalArrivalTime: 06 Feb 2003 02:06:08.0259 (UTC) FILETIME=[5012ED30:01C2CD84]
Message-Id: <548136139759862200241 at lists.pensive dot org>
Alex,
Thank you. Do you know where I could get info on how to configure the
POP-before-SMTP solution? I am running sendmail.
I can both POP and SMTP on the LAN but someone coming in outside the lan
fails......is this sheds any further light on my problem.
Thanks Again.
Don
----- Original Message -----
From: "Aleksandr Melentiev" <alex at myzona dot net>
To: "Donald Clouse" <tfug at hotmail dot com>; "Subscribers of Qpopper"
<qpopper at lists.pensive dot org>
Sent: Wednesday, February 05, 2003 6:37 PM
Subject: Re: Relaying Denied
> Hello,
>
> This is not qpopper's fault. The user is trying to send email using your
> SMTP server on that box (such as sendmail or postfix) and it prohibits
users
> from sending mail remotely for security reasons. If this is an issue and
you
> would like to let users send email via your server, consider setting up
> some kind of authnetication... most popular choices would be
POP-before-SMTP
> system and SMTP AUTH.
>
> Hope this helps.
> Alex.
>
> ----- Original Message -----
> From: Donald Clouse
> To: Subscribers of Qpopper
> Sent: Wednesday, February 05, 2003 4:48 PM
> Subject: Relaying Denied
>
>
> Hello All,
> I have qpopper running on a RH 8.0 linux box.
> When one of the pop3 users comes into the box to check their email they
get
> the message:
>
> Server: IP Address Port 25 SMTP Server error 550 5.7.1
> Relaying Denied Secure SSL Server error 550
> Err 0x800cc79
>
> Any Ideas on why a user on the box would be denied the sending of any
> outgoing email?
>
> Thank You.
>
> Don
>
--------------8508FAFB70310648EFB9BFD7--
From: "Ken Hohhof" <ken at mixedsignal dot com>
Subject: Re: Relaying Denied
Date: Thu, 6 Feb 2003 08:49:01 -0600
> Don't. Pop-before-smtp is an ugly hack which was only really implemented
> as a quick workaround kludge until smtp auth was developed, standardised
> and widely available.
I think you guys are too hard on pop-before-smtp. Granted it is a kludge
and should be avoided it you can. But we have used it for several years
with no problems except that a couple times the daemon stopped for no
apparent reason and had to be manually restarted.
If you primarily provide Internet connectivity as we do, the best policy is
to only relay for clients on your network. If a few customers connect
through another ISP, tell them to use their ISP's outgoing mailserver, this
is the standard solution. If they have a T1 or a premium DSL with static
IP, then we will enter their IP in our relaying database. If they're too
cheap to spring for a static IP on their DSL, or they are using another
ISP's dialup and are too inept to enter that ISP's outgoing mailserver,
tough luck. Or they can use our WebMail server, that's another solution.
If you primarily provide webhosting and email accounts but not connectivity,
then SMTP AUTH is the standard solution.
If you are a private company, and you have remote/mobile/SOHO clients,
things are less clear. My preference would still be to use the ISP's
outgoing mailserver. But you may have a policy that all sent mail goes
through your server, maybe so you can log it or screen it for viruses and/or
content. Also you probably have more control over the email clients that
your employees use and you probably set it up for them. In this case you
may want to use SMTP AUTH or even non-standard mail like Exchange mail.
We don't like SMTP AUTH because it is not practical to make all our
customers use it just to accomodate the few who need it. And if we enable
it on our server, we have problems with our many Mac users with Netscape 4.x
clients which seem to choke if the server offers AUTH but the client is not
set up for it.
Again, WebMail is an alternative. We use EmuMail which is basically a
web-based POP3 client, we actually run it on the same server as qpopper but
it can just as easily (and probably better) be on a separate server.
Date: Thu, 06 Feb 2003 10:14:06 -0500
From: Daniel Senie <dts at senie dot com>
Subject: RE: Relaying Denied
At 09:30 AM 2/6/2003, Morgan A. Miskell wrote:
>Clarification on that, the default settings will work with Qpopper if you
>are just sending userid. If you have Qpopper ignoring the domains (like I
>do) and the users are sending login at domain dot com, then smtp auth will fail
>(unless you add a hack), the users will need to send only login and password
>(no domain)
This results because while you have qpopper configured to ignore domain
names, you've not similarly configured sendmail (no, I don't know the magic
to do that, but I expect it could be coerced to do it).
Relating to another thread, I find I purposely do not want to have qpopper
strip domains, as I try to keep my customers in the mindset that their
username/password for email access is NOT necessarily the same as the
left-hand-side of their email address. Since I host large numbers of
domains, there are many cases where the username is not the same as the
left-hand-side of their email.
>-----Original Message-----
>From: Daniel Senie [mailto:dts at senie dot com]
>Sent: Wednesday, February 05, 2003 11:13 PM
>To: Donald Clouse; Subscribers of Qpopper
>Subject: Re: Relaying Denied
>
>
>At 09:06 PM 2/5/2003, Donald Clouse wrote:
> >Alex,
> >Thank you. Do you know where I could get info on how to configure the
> >POP-before-SMTP solution? I am running sendmail.
> >
> >I can both POP and SMTP on the LAN but someone coming in outside the lan
> >fails......is this sheds any further light on my problem.
>
>I'd urge you to first try to implement SMTP AUTH. While the smtp-after-pop
>approach does function, users do not "get it" very well, and you'll get
>lots of support calls. Based on your error message in your original
>posting, your users are using Outlook or Outlook Express. Both support SMTP
>AUTH just fine, so use it! You turn it on by clicking a check box on the
>Servers config tab that says "my server requires authentication." The
>default settings work.
>
> >Thanks Again.
> >Don
> >----- Original Message -----
> >From: "Aleksandr Melentiev" <alex at myzona dot net>
> >To: "Donald Clouse" <tfug at hotmail dot com>; "Subscribers of Qpopper"
> ><qpopper at lists.pensive dot org>
> >Sent: Wednesday, February 05, 2003 6:37 PM
> >Subject: Re: Relaying Denied
> >
> >
> > > Hello,
> > >
> > > This is not qpopper's fault. The user is trying to send email using your
> > > SMTP server on that box (such as sendmail or postfix) and it prohibits
> >users
> > > from sending mail remotely for security reasons. If this is an issue and
> >you
> > > would like to let users send email via your server, consider setting up
> > > some kind of authnetication... most popular choices would be
> >POP-before-SMTP
> > > system and SMTP AUTH.
> > >
> > > Hope this helps.
> > > Alex.
> > >
> > > ----- Original Message -----
> > > From: Donald Clouse
> > > To: Subscribers of Qpopper
> > > Sent: Wednesday, February 05, 2003 4:48 PM
> > > Subject: Relaying Denied
> > >
> > >
> > > Hello All,
> > > I have qpopper running on a RH 8.0 linux box.
> > > When one of the pop3 users comes into the box to check their email they
> >get
> > > the message:
> > >
> > > Server: IP Address Port 25 SMTP Server error 550 5.7.1
> > > Relaying Denied Secure SSL Server error 550
> > > Err 0x800cc79
> > >
> > > Any Ideas on why a user on the box would be denied the sending of any
> > > outgoing email?
> > >
> > > Thank You.
> > >
> > > Don
> > >
>
>Your ISP has scanned this email for Viruses and Spam Control.
>Your ISP has scanned this email for Viruses and Spam Control.
Date: Thu, 6 Feb 2003 10:41:11 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, Chuck Yerkes wrote:
> POP-b4-SMTP is risky at best and fails at worst.
> Clients have planned to use it and have found great pain after
> deploying dozens of laptops. There are those who chose
> it even after SMTP AUTH was available and clearly the "Right Answer"
> to replace the hack that is POP-b4-SMTP.
As an additional note for this - and ESPECIALLY applicable to laptops.
Lots of ISPs block port 25 transactions outside their local networks to
prevent direct-to-MX spammers operating out of their dialups.
As a result, roaming users need to use the MSA port instead of SMTP and
there are security issues involved with using plaintext SMTP AUTH - as
in anyone can read the passwords if they happen to be sniffing the
traffic(*), so you'd better use SSL too.
(*) Anyone doing traffic accounting for starters.
> The POP request comes in, your script enables anyone coming
> from that AOL host to relay freely for 20 minutes <shudder>
> but your SMTP connection comes in via a different relay. You
> are denied. Ooops.
and some software (outlook express) does smtp before pop3, so even if
pop-before-smtp is enabled, users will still ring you up complaining
that things don't work.
> SMTP-AUTH is almost always the right answer at this point.
> Even for internal LAN mail (keeps some guy who got on your
> 802.11a line from spamming).
Or the spammer coming in via a customer's promiscuious TCP port 25 proxy
from abusing your smarthost..
Date: Thu, 6 Feb 2003 08:00:01 -0800
From: John Rudd <jrudd at ucsc dot edu>
Subject: Re: Relaying Denied
> From: Daniel Senie <dts at senie dot com>
>
> Products which wish to filter spam or viruses
> REALLY should be built to "plug in" to mail clients via APIs.
I disagree. The propper place to do spam and virus scanning is on the
server. Sure, if you want user's to feel some form of warm fuzzy, they
should have the option to run it on the client (and once there, your
method might be right). But the best place to put it is on the server.
For one, it means that the client hasn't wasted bandwidth downloading
what may be huge amounts of bad data.
And there are great products for doing it on the server. We use the
open source Mailscanner as the main scanning engine, which allows you
to use a wide range of virus scanning engines (we use sophos savi, but
they have support for mcaffee and others), doing RBL checks, filename
attachment checks, and spam assassin. We use spam assassin and filename
checks, but not RBL checks (too much latency to slow down mail delivery).
Mailscanner will also let you chose what to do with messages after the
various scanning engines have made decisions. For example, with viruses
you have the option to a) remove the infected attachment and replace it
with a warning, and you can choose to quarantine the attachment in case
it might still be useful to the recipient, b) for each virus type, you
can silently delete it (good for viruses like the klez family, which
forge their sender), c) attemp to remove just the infection from the
attachment and deliver the non-infected portion of the attachment as
normal. For spam, you have options of "deliver" (with headers indiating
why it was marked as spam), "delete", "bounce" (attempt to send it back
to the claimed sender), "forward", "store" (quarantine), "striphtml" (can
be used in conjunction with the other choices). In both cases, you get
headers that help you build mail sorting filters so that you can divert
these messages to different folders than your inbox, and you also have
the option to have the subject modified (such as adding "{Virus?}" or
"{Spam?}" to the start of the subject).
I was so happy with it at work that I also use it at home on my home
mail server.
Though, Mailscanner isn't perfect. It uses two mail queues (you have one
sendmail process (sendmail -bd -OQueueonly -OQueueDir=/var/spool/mqueue.in)
deposit messages into /var/spool/mqueue.in, and then mailscanner processes
the messages and puts them into /var/spool/mqueue, where a "sendmail -qXXm"
process picks them up for delivery; this means you need to keep an eye on
the size of mqueue.in if you've got a huge volume of mail traffic, in case
it gets clogged ... we get ~120k messages per day, and our SMTP servers are
2 sunblade 150's ... we can basically handle 1.5 to twice our current overall
load before things get out of control).
Other sites that I know of use the sendmail milters "Minedefang" or "Amavisd"
to do virus scanning + spam assassin. They don't require a second mail queue,
but they do slow down the initial smtp process (a long pause after the client
sends the message and before the server acknowledges/accepts it). But it
does offer the advantage that instead of hoping to bounce a message to the
address that claimed to send it, when you reject the message you simply put
the burden upon the sending client. If they're the original sender, then
the spam just backlogs on their machine.
Hm. That was much more than I started out to say. Anyways ... IMO, there's
no real need for mail client API's for virus/spam plug ins. Do it on the
server (and, if you're a user, insist that whoever maintains your server
do it on their server).
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: Re: Relaying Denied
Date: Thu, 6 Feb 2003 12:09:25 -0500
----- Original Message -----
From: "Ken Hohhof" <ken at mixedsignal dot com>
To: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Thursday, February 06, 2003 9:49 AM
Subject: Re: Relaying Denied
> I think you guys are too hard on pop-before-smtp. Granted it is a kludge
> and should be avoided it you can. But we have used it for several years
> with no problems except that a couple times the daemon stopped for no
> apparent reason and had to be manually restarted.
Ignoring the fact that SMTP AUTH is a fairly all-in-one solution that
doesn't require interaction between two completely unrelated daemons. As
was said earlier, the POP-before-SMTP approach is largely confusing to many
customers. SMTP AUTH is, with more recent MUAs, extremely easy to configure
and use. (Even my Amiga's mail client does SMTP AUTH ;)
> If you primarily provide Internet connectivity as we do, the best policy
is
> to only relay for clients on your network. If a few customers connect
> through another ISP, tell them to use their ISP's outgoing mailserver,
this
> is the standard solution. If they have a T1 or a premium DSL with static
> IP, then we will enter their IP in our relaying database. If they're too
> cheap to spring for a static IP on their DSL, or they are using another
> ISP's dialup and are too inept to enter that ISP's outgoing mailserver,
> tough luck. Or they can use our WebMail server, that's another solution.
I can see how this would normally play out, but the problem exists that many
clients who are savvy enough to get some kind of Static DSL or T1 service
haven't a clue of how to do anything else. It saves administrative time and
customer confusion to tell them to use your SMTP AUTH servers, especially if
you're hosting the client's domains.
One solution we tried was to alias smtp.clientdomain.com to the client's
SMTP servers. But that just increased the frustration level when the
customer ISP's mailserver was down or unreachable, and we suddenly became at
fault. What it boiled down to for us was "if you want it done right, you
have to do it yourself."
> If you are a private company, and you have remote/mobile/SOHO clients,
> things are less clear. My preference would still be to use the ISP's
> outgoing mailserver. But you may have a policy that all sent mail goes
> through your server, maybe so you can log it or screen it for viruses
and/or
> content. Also you probably have more control over the email clients that
> your employees use and you probably set it up for them. In this case you
> may want to use SMTP AUTH or even non-standard mail like Exchange mail.
Not always a matter of policy. With the dwindling number of national ISPs
available these days the support all of the features a business needs (last
year we had issues with AOL disconnecting dialup users immediate after
initiating a VPN session,) it's difficult to be able to move from one area
to the next without haveing to update settings. With SMTP AUTH, anyone
travelling for a corporation can use any ISP's connection, including those
at hotels, to send their email.
> We don't like SMTP AUTH because it is not practical to make all our
> customers use it just to accomodate the few who need it. And if we enable
> it on our server, we have problems with our many Mac users with Netscape
4.x
> clients which seem to choke if the server offers AUTH but the client is
not
> set up for it.
Then don't make them all use it; it's not an all-or-nothing option. We have
SMTP AUTH enabled on our servers, and it happily relays mail for anyone on
our network without authenticate, and requires anyone outside to use
authentication. I was pleasantly surprised at how 100% of the people who
are using SMTP AUTH only needed a brief explanation of how to configure it,
which we provided on a website.
Now, the bit about Mac Netscape 4.x clients... does this happen in an
environment which requires SMTP AUTH all around, or only offers it but still
provides local relay? I know from experience that the 4.6 and 4.7 clients
were awfully flakey about SMTP AUTH, but v4.8 seems to have fixed this
issue, and most people have migrated to 6.x or 7.x. I did some checking,
and it seems that the minimum indicated requirements for Netsccape 6 is OSX,
but Netscape 7 will go back to PowerPC-based units running OS8 or better.
> Again, WebMail is an alternative. We use EmuMail which is basically a
> web-based POP3 client, we actually run it on the same server as qpopper
but
> it can just as easily (and probably better) be on a separate server.
Web-based email is always a great alternative if you have a good package to
run. I've spent the last year or so trying out various PHP-based POP3 and
IMAP clients. Initially I opted for clients that didn't require the IMAP
library and MySQL or LDAP for user prefs, but finally have settled on using
the Horde framework with IMP.
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Thu, 6 Feb 2003 10:56:49 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, The Little Prince wrote:
> i agree with the SMTP AUTH statements. be aware, if you're on a system
> that uses Norton AV, this has a habit of not letting AUTH work with the
> defaults.
That's because Norton interferes with the normal data path by seting
itself up as a pop3/smtp server and redirecting all local client traffic
to itself, while talking to the remote servers.
Quite frankly, Norton AV is crap. It inconveniences users, so they
bypass it. You're better off using F-Prot or similar (which is also
significantly cheaper).
Not to mention that Norton are spammers and so are McAfee.
Date: Thu, 6 Feb 2003 15:53:57 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, Ken Hohhof wrote:
> If you primarily provide Internet connectivity as we do, the best policy is
> to only relay for clients on your network.
In these days of spammers hijacking winduhs proxies and spamming malware
(viruses), with more and worse to come, there's a lot to be said in
favour of requiring SMTP AUTH for everyone.
> We don't like SMTP AUTH because it is not practical to make all our
> customers use it just to accomodate the few who need it.
I guess that depends on your customers. If they can set a pop3 password,
they can setup AMTP AUTH.
> And if we enable
> it on our server, we have problems with our many Mac users with Netscape 4.x
> clients which seem to choke if the server offers AUTH but the client is not
> set up for it.
Why would netscape 4 for Mac choke and not other versions? I think you
may be chasing a strawman there.
AB
From: "Ken Hohhof" <ken at mixedsignal dot com>
Subject: Re: Relaying Denied
Date: Thu, 6 Feb 2003 15:19:43 -0600
> Why would netscape 4 for Mac choke and not other versions? I think you
> may be chasing a strawman there.
AFAIK all versions of Netscape 4 have the problem that if AUTH is offerred,
the client must be configured to authenticate. The only reason I mentioned
Macs is that Netscape 4 is the most common mail client on Mac OS/8 and
OS/9. Many Mac users hate Microsoft so much they won't use OE. Now
with OS/X, Apple has its own mail client which was pretty spartan in version
1.1 but is more full-featured in version 1.2.
Regarding dictating to a customer base that they must use SMTP AUTH,
you must have a captive customer base. If we turned that on one day we
would get thousands of angry tech support calls and a sizable percentage
would switch to another ISP if only out of spite. When you're in a
commodity
service business, and all your customers think they know what they're doing
even if they don't, and they think it's always your fault even though it
usually
isn't, then we can't take the attitude "what, are you too stupid to check a
box
and fill in your username and password?"
Date: Thu, 6 Feb 2003 16:31:49 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, John Rudd wrote:
> I disagree. The propper place to do spam and virus scanning is on the
> server.
Unfortunately lots of ISPs aren't willing to put in the extra hardware
required to have the horsepower to do it.
And even fewer are willing to filter outbound mail, resulting in outfits
like BTopenworld making lots of TV adverts about their spam/virus
filtering, while one of their users has been sending me between 40 and
100 pieces of virus infected cruft for the last week
And no, their abuse desk isn't working either.
AB
From: "steve" <steve at chesint dot net>
Subject: Re: Relaying Denied
Date: Thu, 6 Feb 2003 19:02:54 -0500
I am planning on forcing customers to SMTP auth ( in fact we are doing that
by default on all tech calls now in advance), but am not going to just turn
off the switch in one day. I have mine set to use smtp auth and mynetworks.
I am going to send out an email instructing users how to reconfigure their
clients and how to call for help (or look on my site for detailed
instructions)...then at some point down the road when most of the tech calls
are behind us, I am going to gradually start pulling netmasks out of my
mynetworks file until customers are migrated over.
Not sure if that helps any, but that is my plan so I figured I'd share it.
And yes Older Versions of Netscape don't seem to work, but 6+ has worked OK
I believe so far (not sure on Mac, but I think newer Netscape versions work
ok on our system).
Steve
CCI
----- Original Message -----
From: "Ken Hohhof" <ken at mixedsignal dot com>
To: "Alan Brown" <alanb at digistar dot com>
Cc: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
Sent: Thursday, February 06, 2003 4:19 PM
Subject: Re: Relaying Denied
> > Why would netscape 4 for Mac choke and not other versions? I think you
> > may be chasing a strawman there.
>
> AFAIK all versions of Netscape 4 have the problem that if AUTH is
offerred,
> the client must be configured to authenticate. The only reason I
mentioned
> Macs is that Netscape 4 is the most common mail client on Mac OS/8 and
> OS/9. Many Mac users hate Microsoft so much they won't use OE. Now
> with OS/X, Apple has its own mail client which was pretty spartan in
version
> 1.1 but is more full-featured in version 1.2.
>
> Regarding dictating to a customer base that they must use SMTP AUTH,
> you must have a captive customer base. If we turned that on one day we
> would get thousands of angry tech support calls and a sizable percentage
> would switch to another ISP if only out of spite. When you're in a
> commodity
> service business, and all your customers think they know what they're
doing
> even if they don't, and they think it's always your fault even though it
> usually
> isn't, then we can't take the attitude "what, are you too stupid to check
a
> box
> and fill in your username and password?"
>
>
Date: Thu, 06 Feb 2003 16:36:32 -0500
From: Daniel Senie <dts at senie dot com>
Subject: Re: Relaying Denied
At 10:56 AM 2/6/2003, Alan Brown wrote:
>On Thu, 6 Feb 2003, The Little Prince wrote:
>
> > i agree with the SMTP AUTH statements. be aware, if you're on a system
> > that uses Norton AV, this has a habit of not letting AUTH work with the
> > defaults.
>
>That's because Norton interferes with the normal data path by seting
>itself up as a pop3/smtp server and redirecting all local client traffic
>to itself, while talking to the remote servers.
Norton AV works quite well in conjuction with Eudora. Eudora stores
attachments as separate files. When it goes to write out an attachment
that's infected, Norton intercepts and alerts. This is with the "email
protection" capability turned OFF, so that it's not intercepting.
>Quite frankly, Norton AV is crap.
We've found it to generally be updated with new virus definitions much
sooner than F-Secure's product.
> It inconveniences users, so they
>bypass it. You're better off using F-Prot or similar (which is also
>significantly cheaper).
YMMV
>Not to mention that Norton are spammers and so are McAfee.
Actually, Symantec is NOT spamming. There are plenty of Warez copies being
peddled on the 'net. Symantec themselves used to be bad about unsolicited
email, but appears to have mended their ways. They do have a serious
problem with piracy (and those pirates spam the world).
We're now quite far off topic.
Date: Thu, 6 Feb 2003 19:06:56 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, Ken Hohhof wrote:
> Regarding dictating to a customer base that they must use SMTP AUTH,
> you must have a captive customer base.
Or a customer base who have some clues. We don't pitch to inexperienced
users and there's surprising sales value in "if you need tech support,
you don't belong here".
From: Ted Cabeen <ted at impulse dot net>
Subject: Re: Relaying Denied
Date: Thu, 06 Feb 2003 16:10:35 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-Type: text/plain; charset=us-ascii
In message <464134870290312386900 at lists.pensive dot org>, "Ken Hohhof" writes:
>> Why would netscape 4 for Mac choke and not other versions? I think you
>> may be chasing a strawman there.
>
>AFAIK all versions of Netscape 4 have the problem that if AUTH is offerred,
>the client must be configured to authenticate. The only reason I mentioned
>Macs is that Netscape 4 is the most common mail client on Mac OS/8 and
>OS/9. Many Mac users hate Microsoft so much they won't use OE. Now
>with OS/X, Apple has its own mail client which was pretty spartan in version
>1.1 but is more full-featured in version 1.2.
Right. The usual solution to this is to change the SMTP server so that it
only offers AUTH to the client if they don't already qualify to relay due to
the IP address they're coming from or the POP-B4-SMTP database.
- --
Ted Cabeen http://www.pobox.com/~secabeen ted at impulse dot net
Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen at pobox dot com
"I have taken all knowledge to be my province." -F. Bacon secabeen at cabeen dot org
"Human kind cannot bear very much reality."-T.S.Eliot cabeen at netcom dot com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
Comment: Exmh version 2.5 07/13/2001
iD8DBQE+Qvl7oayJfLoDSdIRAgGkAKDDPET3ZY7ID33r1Pk+wSaDitjD6ACfSgR2
NJM4cM4osIaF2S/hKoIiCvU
=dCY0
-----END PGP SIGNATURE-----
Date: Thu, 6 Feb 2003 19:13:49 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, Ted Cabeen wrote:
> Right. The usual solution to this is to change the SMTP server so that it
> only offers AUTH to the client if they don't already qualify to relay due to
> the IP address they're coming from or the POP-B4-SMTP database.
Or to show the customer the security advisories for netscape 4.* and
recommend that they update to 4.8 or later...
From: "yong" <yong80 at oikose dot com>
Subject: Newbie need help!!!
Date: Fri, 7 Feb 2003 10:43:46 +0800
hi, i am quite new using qpopper and i have some problem setting up a local
email server which i need some guidence on.
I am now using Linux Redhat 7.3 and i have setup a local DNS server
successfully. Using Kmail as my email client, I try to receive mail using
qpopper as my pop3 agent. But i have problem receiving my emails as this
error appears evertime i tried to receive email:
-- Could not log in to xyz. The password may be wrong.
The server said: "[AUTH] Password supplied for "king" is incorrect.
Pls help as i am running out of ideas....
TKS
yong_san
Date: Thu, 6 Feb 2003 18:23:48 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Qpopper 4.0.5b2 available
Qpopper 4.0.5b1 is available at
<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/>.
The full list of changes from one release to the next is on the FTP
site, at
<ftp://ftp.qualcomm.com/eudora/servers/unix/popper/beta/Changes>.
Changes from 4.0.4b1 to 4.0.5b2:
------------------------------
4. STLS errors (except for timeout) no longer fatal.
5. Added sample xinetd configuration file.
6. Additional checks for networking libraries.
7. Pick up LDFLAGS from environment, if set.
8. Added '--enable-32-bit' and '--enable-64-bit'
9. Applied patch from Jeremy Chadwick to fix pathname trimming in
standalone mode.
Date: Thu, 06 Feb 2003 16:39:30 -0500
From: Daniel Senie <dts at senie dot com>
Subject: Re: Relaying Denied
At 11:00 AM 2/6/2003, John Rudd wrote:
> > From: Daniel Senie <dts at senie dot com>
> >
> > Products which wish to filter spam or viruses
> > REALLY should be built to "plug in" to mail clients via APIs.
>
>I disagree. The propper place to do spam and virus scanning is on the
>server. Sure, if you want user's to feel some form of warm fuzzy, they
>should have the option to run it on the client (and once there, your
>method might be right). But the best place to put it is on the server.
>For one, it means that the client hasn't wasted bandwidth downloading
>what may be huge amounts of bad data.
Certainly scanning for viruses on the server is a good idea. We do it
ourselves. However, it is unacceptable for an ISP to tell customers not to
run AV products because the server they use for their email runs a scan.
The issues are:
1. Liability: We tell our clients that while we scan for and delete virus
laden email, we do not guarantee that it will be 100% effective. We
recommend they run their own antivirus as well.
2. Diversity: We've often seen the server-based product we use lag the
desktop products (different brands) in having updated virus definitions.
In a university or corporate setting, #1 may not be an issue of course.
Date: Thu, 6 Feb 2003 21:49:55 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Relaying Denied
At 9:17 AM -0500 2/6/03, Daniel Senie wrote:
> Norton AV, and other email filtering and handling products which
> interpose themselves in as proxy servers in this way are really
> useless products. They fail to implement lots of features of POP
> (e.g. TLS) and create serious support headaches. Products which
> wish to filter spam or viruses REALLY should be built to "plug in"
> to mail clients via APIs. Other vendors get this right.
In addition to APIs, some clients are careful to write each message
as a temp file before deleting it from the server. This has the
added benefit of allowing local anti-virus software on the client to
scan the file.
> While I use Norton for virus scanning myself, I keep the email
> scanning disabled (I provide Antivirus in my mail server anyway,
> and have other protections on my client, so I'm covered). This
> poorly designed component really hurts an otherwise decent product
> offering.
These sorts of products also cause problems with clients that use CAPA.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
Between two evils, I always pick the one I never tried before.
--Mae West.
Date: Thu, 6 Feb 2003 21:56:31 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Relaying Denied
At 10:41 AM -0500 2/6/03, Alan Brown wrote:
> As a result, roaming users need to use the MSA port instead of SMTP and
> there are security issues involved with using plaintext SMTP AUTH - as
> in anyone can read the passwords if they happen to be sniffing the
> traffic(*), so you'd better use SSL too.
Or at least CRAM-MD5, SASl-DIGEST, or another SMTP AUTH mechanism
that doesn't send clear text passwords.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
What use is magic if it can't save a unicorn?
--Peter S. Beagle
Date: Thu, 06 Feb 2003 20:29:42 -0600
From: Len Conrad <LConrad at Go2France dot com>
Subject: Re: Relaying Denied
>Norton AV, and other email filtering and handling products which interpose
>themselves in as proxy servers in this way are really useless products.
Equally useless, the server/gateway level, is PIX SMTP fixup.
postfix even has SMTP client hacks to workaround pix:
# postconf | grep pix
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s
And the PIX SMTP fixup only knows HELO (because it can't know about
users+passwds), so SMTP AUTH/EHLO is not available through SMTP fixup.
>They fail to implement lots of features of POP (e.g. TLS) and create
>serious support headaches. Products which wish to filter spam or viruses
>REALLY should be built to "plug in" to mail clients via APIs.
Most companies don't want their employees learning how (what a laugh that
is) to filter at the desktop, and then wasting $time trying to filter spam,
so have implemented filtering at the MX level to keep nearly all of the
crap out of the company and above off the desktop.
Len
Date: Thu, 06 Feb 2003 20:27:22 -0600
From: Len Conrad <LConrad at Go2France dot com>
Subject: Re: Relaying Denied
>Unfortunately lots of ISPs aren't willing to put in the extra hardware
>required to have the horsepower to do it.
If one avoids the resource-intensive "content-scanning" approach and go
with "rejecting", the MX machine doesn't need to be more than a P500 for
90% of orgs.
Len
Date: Fri, 7 Feb 2003 04:49:39 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, Randall Gellens wrote:
> Or at least CRAM-MD5, SASl-DIGEST, or another SMTP AUTH mechanism
> that doesn't send clear text passwords.
...leaving company-sensitive data passing in cleartext...
From: Robert Brandtjen <rob at prometheusmedia dot com>
Subject: Re: Relaying Denied
Date: Fri, 7 Feb 2003 08:10:02 -0600
On Friday 07 February 2003 12:04 am, Alan W. Rateliff, II wrote:
> I don't know if your RH installation includes the SASL libraries. Even
so,
> you might need to recompile your sendmail installation, to incorporate
> their use. Sendmail's site has a brief tutorial as well[2].
Thanks Alan,
It included the SASL libs - but the originals did not have LOGIN enabled,
so
when compiling the latest version of them, sendmail would not start, I
figured I needed to recompile sendmail then as well.
--
Robert Brandtjen
------------------------------------
Web Site Creation and Hosting Services
Hostmaster at prometheusmedia dot com
www.prometheusmedia.com
From: "Alan W. Rateliff, II" <lists at rateliff dot net>
Subject: Re: Relaying Denied
Date: Fri, 7 Feb 2003 01:04:48 -0500
----- Original Message -----
From: "Robert Brandtjen" <rob at prometheusmedia dot com>
To: "Alan W. Rateliff, II" <lists at rateliff dot net>; "Subscribers of Qpopper"
<qpopper at lists.pensive dot org>
Sent: Friday, February 07, 2003 12:48 AM
Subject: Re: Relaying Denied
> Ok, Im game for the SMTP AUTH solution, considering I have RH 7.3 and RH
8.0
> boxen, where would I go for a decent tutorial? the ones I have found via
> google stink. I should add that RH comes with everthing pre installed -
but I
> still can't seem to get it working -
I ran into the same problem while trying to implement SMTP AUTH on my
Solaris boxes, but eventually figured it out. What you need is the Cyrus
SASL library v1.something and the latest source for Sendmail. I have a
somewhat basic information page about the process[1]. Keep in mind that
it's tailored for Solaris, so the PAM configuration in Sendmail.conf might
differ for RH.
I don't know if your RH installation includes the SASL libraries. Even so,
you might need to recompile your sendmail installation, to incorporate their
use. Sendmail's site has a brief tutorial as well[2].
[1] http://alan2.rateliff.us/SMTP_AUTH-HOWTO.html
[2] http://www.sendmail.org/~ca/email/auth.html
--
Alan W. Rateliff, II : RATELIFF.NET
Independent Technology Consultant : alan2 at rateliff dot net
(Office) 850/350-0260 : (Mobile) 850/559-0100
-------------------------------------------------------------
[System Administration][IT Consulting][Computer Sales/Repair]
Date: Thu, 6 Feb 2003 18:59:37 -0800 (PST)
From: The Little Prince <thelittleprince at asteroid-b612 dot org>
Subject: Re: Relaying Denied
On Thu, 6 Feb 2003, steve wrote:
> I am planning on forcing customers to SMTP auth ( in fact we are doing that
> by default on all tech calls now in advance), but am not going to just turn
> off the switch in one day. I have mine set to use smtp auth and mynetworks.
> I am going to send out an email instructing users how to reconfigure their
> clients and how to call for help (or look on my site for detailed
> instructions)...then at some point down the road when most of the tech calls
> are behind us, I am going to gradually start pulling netmasks out of my
> mynetworks file until customers are migrated over.
>
if you want instructions, i wrote step by step ones (along with some from
the net) a little while back, for the major clients. outlooks, netscapes,
eudora.
let me know, i'll send them to you.
--Tony
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
>
> Steve
> CCI
> ----- Original Message -----
> From: "Ken Hohhof" <ken at mixedsignal dot com>
> To: "Alan Brown" <alanb at digistar dot com>
> Cc: "Subscribers of Qpopper" <qpopper at lists.pensive dot org>
> Sent: Thursday, February 06, 2003 4:19 PM
> Subject: Re: Relaying Denied
>
>
> > > Why would netscape 4 for Mac choke and not other versions? I think you
> > > may be chasing a strawman there.
> >
> > AFAIK all versions of Netscape 4 have the problem that if AUTH is
> offerred,
> > the client must be configured to authenticate. The only reason I
> mentioned
> > Macs is that Netscape 4 is the most common mail client on Mac OS/8 and
> > OS/9. Many Mac users hate Microsoft so much they won't use OE. Now
> > with OS/X, Apple has its own mail client which was pretty spartan in
> version
> > 1.1 but is more full-featured in version 1.2.
> >
> > Regarding dictating to a customer base that they must use SMTP AUTH,
> > you must have a captive customer base. If we turned that on one day we
> > would get thousands of angry tech support calls and a sizable percentage
> > would switch to another ISP if only out of spite. When you're in a
> > commodity
> > service business, and all your customers think they know what they're
> doing
> > even if they don't, and they think it's always your fault even though it
> > usually
> > isn't, then we can't take the attitude "what, are you too stupid to check
> a
> > box
> > and fill in your username and password?"
> >
> >
>
>
--
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
Anthony J. Biacco Network Administrator/Engineer
thelittleprince at asteroid-b612.org http://www.asteroid-b612 dot org
"This will prove a brave kingdom to me,
where I shall have my music for nothing"
.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-.
From: Robert Brandtjen <rob at prometheusmedia dot com>
Subject: Re: Relaying Denied
Date: Thu, 6 Feb 2003 23:48:37 -0600
On Thursday 06 February 2003 11:09 am, Alan W. Rateliff, II wrote:
> Ignoring the fact that SMTP AUTH is a fairly all-in-one solution that
> doesn't require interaction between two completely unrelated daemons.
As
> was said earlier, the POP-before-SMTP approach is largely confusing to
many
> customers. SMTP AUTH is, with more recent MUAs, extremely easy to
> configure and use. (Even my Amiga's mail client does SMTP AUTH ;)
Ok, Im game for the SMTP AUTH solution, considering I have RH 7.3 and RH
8.0
boxen, where would I go for a decent tutorial? the ones I have found via
google stink. I should add that RH comes with everthing pre installed - b
ut I
still can't seem to get it working -
--
Robert Brandtjen
------------------------------------
Web Site Creation and Hosting Services
Hostmaster at prometheusmedia dot com
www.prometheusmedia.com
Date: Fri, 7 Feb 2003 11:36:07 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Newbie need help!!!
At 10:43 AM +0800 2/7/03, yong wrote:
> hi, i am quite new using qpopper and i have some problem setting up a local
> email server which i need some guidence on.
>
> I am now using Linux Redhat 7.3 and i have setup a local DNS server
> successfully. Using Kmail as my email client, I try to receive mail using
> qpopper as my pop3 agent. But i have problem receiving my emails as this
> error appears evertime i tried to receive email:
> -- Could not log in to xyz. The password may be wrong.
> The server said: "[AUTH] Password supplied for "king" is incorrect.
>
> Pls help as i am running out of ideas....
> TKS
> yong_san
You may need to use PAM, for example, I believe that if you're using
a non-default password hashing mechanism this is required.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
Accident: A condition in which presence of mind is good, but absence of
body is better.
From: Mark <admin at asarian-host dot net>
Date: Sat, 8 Feb 2003 01:20:04 +0100
Subject: Re: Relaying Denied
At 11:00 AM 2/6/2003, John Rudd wrote:
> > From: Daniel Senie <dts at senie dot com>
> >
> > Products which wish to filter spam or viruses
> > REALLY should be built to "plug in" to mail clients via APIs.
>
>I disagree. The propper place to do spam and virus scanning is on the
>server. Sure, if you want user's to feel some form of warm fuzzy, they
>should have the option to run it on the client (and once there, your
>method might be right). But the best place to put it is on the server.
>For one, it means that the client hasn't wasted bandwidth downloading
>what may be huge amounts of bad data
Scanning virusses on the server is a good idea, and I do it myself. And I do
not even bother storing flagged virusses, let alone try and repair them. If
a mail contains a virus, I blackhole the entire email. Maybe a bit rigorous,
but if a mail contains a virus, it had no legitimate business being on my
server to begin with.
I also scan for spam, and rigorously too, as the nature of my server
requires it. But that is more tricky. Many users frown at the idea that
their server will make the determination for them as to what is spam. And
the issue of false positives is always present too. Still, I believe that
checking spam at the gate -- the server-gate, that is -- is the best option.
After all, I, as mail server, want to have a say in who I do "business"
with; and I do not want to leave that determination solely in the hands of
my users.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
Date: Fri, 07 Feb 2003 22:55:35 -0600
From: Ken Hohhof <ken at mixedsignal dot com>
Subject: Re: Relaying Denied
>> Ok, Im game for the SMTP AUTH solution, considering I have RH 7.3 and RH
>8.0
>> boxen, where would I go for a decent tutorial?
If you are using sendmail without a copy of the "bat" book (author
Costales, publisher O'Reilly, 3rd edition, picture of bat on cover) your
first step should be to spend your $59.95 and get one.
Then assuming you have sendmail v8.10 or later, there are very complete
instructions starting with section 10.9 on page 406.
Date: Sun, 9 Feb 2003 11:29:44 +0100
From: Cliff Sarginson <cls at raggedclown dot net>
Subject: Re: confirmation
On Tue, Feb 04, 2003 at 10:23:59AM -0800, Randall Gellens wrote:
> At 2:00 PM +0300 2/4/03, Vitaly wrote:
>
> > i need to send confirmation to the sender that his (or her) mail
> >has been loaded by the user during pop3 or imap session.
> > Does qpopper provide that? Can i implement by own mail filter
> >(program) that scans every recieving mail? is there another
> >programm for this purpose?
>
> Standard Internet email provides for delivery status notifications
> (DSNs) and message disposition notifications (MDNs).
>
> DSNs are requested at the SMTP (transport) level, and can result in
> positive acknowledgment of a message's arrival at the last server
> (the user's spool). It must be supported by the originating
> submission program, and all servers in between. It does not indicate
> if the message was ever downloaded by the user, but it can give a
> reasonable indication that the message wasn't lost en route.
>
Mmm. As you are implying this does expect co-operation all the way down
the line, plus the co-operation of the end-receiver. I personally never
allow DSN messages .. since I politically disapprove of them (but that
is another story :) .. They can generate a fair amount of more or less
white-noise email, and are unreliable at best. I don't think they can be
relied upon as proof of anything very much anyway.
--
Regards
Cliff Sarginson
The Netherlands
[ This mail has been checked as virus-free ]
From: Robert Brandtjen <rob at prometheusmedia dot com>
Subject: Re: Relaying Denied
Date: Fri, 7 Feb 2003 13:28:12 -0600
On Friday 07 February 2003 12:04 am, Alan W. Rateliff, II wrote:
> I don't know if your RH installation includes the SASL libraries. Even
so,
> you might need to recompile your sendmail installation, to incorporate
> their use. Sendmail's site has a brief tutorial as well[2].
Ok, I have it going, but no inbound mails from other servers (people send
ing
me email) are getting through - they are bouncing out with "improper
authentication" messages - so I can recieve no email on this set-up. Any
idea
why?
I found a nice "how to" at this addy:
http://www.joreybump.com/code/howto/smtpauth.html
--
Robert Brandtjen
------------------------------------
Web Site Creation and Hosting Services
Hostmaster at prometheusmedia dot com
www.prometheusmedia.com
Date: Sun, 9 Feb 2003 12:28:04 +0100
From: Cliff Sarginson <cls at raggedclown dot net>
Subject: Re: Relaying Denied
On Thu, Feb 06, 2003 at 04:39:30PM -0500, Daniel Senie wrote:
> At 11:00 AM 2/6/2003, John Rudd wrote:
> >> From: Daniel Senie <dts at senie dot com>
> >>
> >> Products which wish to filter spam or viruses
> >> REALLY should be built to "plug in" to mail clients via APIs.
> >
> >I disagree. The propper place to do spam and virus scanning is on the
> >server. Sure, if you want user's to feel some form of warm fuzzy, they
> >should have the option to run it on the client (and once there, your
> >method might be right). But the best place to put it is on the server.
> >For one, it means that the client hasn't wasted bandwidth downloading
> >what may be huge amounts of bad data.
>
> Certainly scanning for viruses on the server is a good idea. We do it
> ourselves. However, it is unacceptable for an ISP to tell customers not to
> run AV products because the server they use for their email runs a scan.
> The issues are:
>
> 1. Liability: We tell our clients that while we scan for and delete virus
> laden email, we do not guarantee that it will be 100% effective. We
> recommend they run their own antivirus as well.
>
> 2. Diversity: We've often seen the server-based product we use lag the
> desktop products (different brands) in having updated virus definitions.
>
There are 3 issues here:
1- Unwanted access to your SMTP Mail server
2- Virus Checking
3- Spam checking
I "solve" 1 by restricting access to port25 to trusted IP addresses
using my firewall, and a further check in my MTA (Postfix).
I "solve" 2 by running antivir on the mail server. This quarantines mail
containing viruses, sends a message to the intended recipient to say it
has done so and a message to the sender,
The solution of 3 is much more difficult for a Mail Server. Spam
checkers do create false-positives, and one man's Spam may not be
another ones. Before the mail is qpopped it is run through spamassassin
with a certain set of rules, flagging what it believes is Spam. It is
then up to the recipient to filter or not on that flagging and decide
what to do .. isolating it in a special potential Spam folder for later
checking,..is recommended. A whitelist is also maintained by the
spamassassin rules (people sending legit mail to mailing lists often get
flagged to high on Spam checks because they often "shout" a lot and have
suspicious mail From addresses etc. RBL checks are also in place.)
This all works reasonably well, although how scaleable it is I have no
idea, since I am not runnning a corporate network ! The slowest point in
the chain is the Spam checking.
As for the posters point 2. "Diversity". I use amavis/antivir and have
noticed they email information about new viruses and cures
*consistently* faster than they get picked up by live-updates of
Penicillin and Symantec Windows virus checkers. My mail server contacts
them automatically once a day anyway to download any new
definitions/engine changes.
Interestingly I had to whitelist my ISP ! Not because they spam me but
because their "announcement" messages, due to the way they are
structured, triggered many of the Spam check rules to score them high!
--
Regards
Cliff Sarginson
The Netherlands
[ This mail has been checked as virus-free ]
Date: Fri, 7 Feb 2003 21:12:23 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: Qpopper 4.0.5b2 available
At 6:23 PM -0800 2/6/03, Randall Gellens wrote:
> 9. Applied patch from Jeremy Chadwick to fix pathname trimming in
> standalone mode.
Sorry, that's not in 4.0.5b2, it's in 4.0.5b3.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
Artificial intelligence is no match for natural stupidity.
Date: Sun, 9 Feb 2003 11:43:01 -0500 (EST)
From: Alan Brown <alanb at digistar dot com>
Subject: Re: Relaying Denied
On Sun, 9 Feb 2003, Cliff Sarginson wrote:
> I "solve" 2 by running antivir on the mail server. This quarantines mail
> containing viruses, sends a message to the intended recipient to say it
> has done so and a message to the sender,
^^^^^^^^^^^^^^^^^^^^^^^^^^^
So you're one of the bastards with malconfigured scanners mailbombing me
with virus warnings thanks to most worms using forged addresses.
Gee, thanks. What makes you think it's much different to any other form
of spam?
From: Mark <admin at asarian-host dot net>
Date: Sun, 9 Feb 2003 14:57:21 +0100
Subject: Re: Relaying Denied
On Thursday 06 February 2003 11:09 am, Alan W. Rateliff, II wrote:
> Ignoring the fact that SMTP AUTH is a fairly all-in-one solution that
> doesn't require interaction between two completely unrelated daemons. As
> was said earlier, the POP-before-SMTP approach is largely confusing to
> many customers. SMTP AUTH is, with more recent MUAs, extremely easy
> to configure and use. (Even my Amiga's mail client does SMTP AUTH ;)
Why not do both? :) I run the "DRAC" daemon for the whole PopAuth thingy,
and I allow my users to use SMTP AUTH as well. Sendmail (8.12.6) processes
its rulesets in such a way (Basic_check_rcpt), that SMTP AUTH comes first,
and drac later (drac checks are really no more than a check against the
dbase defined in "Kdrac btree -o /usr/local/etc/dracd", or wherever you put
the database).
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
Date: Sun, 09 Feb 2003 10:37:56 -0600
From: Ken Hohhof <ken at mixedsignal dot com>
Subject: Re: Relaying Denied
>Ok, I have it going, but no inbound mails from other servers (people sending
>me email) are getting through - they are bouncing out with "improper
>authentication" messages - so I can recieve no email on this set-up. Any
idea
>why?
Maybe you have the "a" key-letter specified in the DaemonPortOptions option
in your sendmail.cf file.
Date: Sun, 9 Feb 2003 18:41:23 -0500 (EST)
From: Chip Old <fold at bcpl dot net>
Subject: Re: Relaying Denied
On Sun, 9 Feb 2003 11:43 -0500, Alan Brown wrote:
> On Sun, 9 Feb 2003, Cliff Sarginson wrote:
>
> > I "solve" 2 by running antivir on the mail server. This quarantines
> > mail containing viruses, sends a message to the intended recipient to
> > say it has done so and a message to the sender,
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> So you're one of the bastards with malconfigured scanners mailbombing me
> with virus warnings thanks to most worms using forged addresses. Gee,
> thanks. What makes you think it's much different to any other form of
> spam?
Unfortunately an increasing number of people are doing that, both for worm
e-mail and spam e-mail. Even worse the practice has actually been
recommended in various PopTech media. It's incredibly stupid because the
sender address on virtually all spam and most current worms is forged.
At the least, replying generates large numbers of bounced messages. At
worst, it floods innocents' mailboxes with messages having nothing to do
with them. In either case it creates a lot of unnecessary traffic. It's
a really stupid thing to do!
--
Chip Old (Francis E. Old) E-Mail: fold at bcpl dot net
Manager, BCPL Network Services Phone: 410-887-6180
Manager, BCPL.NET Internet Services FAX: 410-887-2091
320 York Road
Towson, MD 21204 USA
Date: Mon, 10 Feb 2003 01:05:22 +0100
From: Cliff Sarginson <cls at raggedclown dot net>
Subject: Re: confirmation
On Sun, Feb 09, 2003 at 03:13:32PM -0800, Randall Gellens wrote:
> At 11:29 AM +0100 2/9/03, Cliff Sarginson wrote:
>
> > > DSNs are requested at the SMTP (transport) level, and can result in
> >> positive acknowledgment of a message's arrival at the last server
> >> (the user's spool). It must be supported by the originating
> >> submission program, and all servers in between. It does not indicate
> >> if the message was ever downloaded by the user, but it can give a
> >> reasonable indication that the message wasn't lost en route.
> >>
> > Mmm. As you are implying this does expect co-operation all the way down
> > the line, plus the co-operation of the end-receiver.
>
> DSNs rely on cooperation from every server en route, including the
> final one. To be more accurate, requesting non-default DSN behavior
> requires this. By default, most servers generate failure DSNs which
> include the full original message. The DSN extension mechanisms
> allows the originator to request various non-default behavior, such
> as success, relay, or delay DSNs, and can request that only the
> headers of the original message be included. In addition, the
> extension mechanism allows the originator to supply a unique
> identifier which will be included in the DSN. These mechanisms are
> great for mailing lists, for example, but could also be handy for
> user agents to, for example, indicate to the author the current known
> status of the delivery of a message to each recipient (success,
> failure, delay, relay). Relay status indicates that the message was
> passed to a server which does not support the DSN extensions.
>
> > I personally never
> > allow DSN messages .. since I politically disapprove of them (but that
> > is another story :) ..
>
> What about them do you disapprove of?
>
Traffic.
> > They can generate a fair amount of more or less
> > white-noise email,
>
> have you seen this?
>
Well, yes, at one place I worked it was de-facto.
> > and are unreliable at best. I don't think they can be
> > relied upon as proof of anything very much anyway.
>
> I'm not sure DSNs are ever appropriate as "proof" of anything. Their
> reliability is directly related to the proportion of servers that
> support them. They can be useful. Certainly a failure DSN is very
> useful.
Oh I don't disagree with failure indications. But you get those anyway.
But I think mail-systems of any use are built on the "Wells Fargo"
principle .. "the mail must get through". An indication that it has not
is good to know (maybe the mailman got shot by a bandit). An indication
that it has is a bit overkill...just my view.
But it is kind of a lot of baggage isn't it ?
Maybe one day when email achieves a greater legal status than it has
now, then non-repudiation of receipt will start to matter.
--
Regards
Cliff Sarginson
The Netherlands
[ This mail has been checked as virus-free ]
Date: Sun, 9 Feb 2003 15:48:40 -0800
Subject: Re: Relaying Denied
From: John Rudd <jrudd at ucsc dot edu>
On Sunday, Feb 9, 2003, at 03:28 US/Pacific, Cliff Sarginson wrote:
> 1- Unwanted access to your SMTP Mail server
> 2- Virus Checking
> 3- Spam checking
>
> I "solve" 2 by running antivir on the mail server. This quarantines
> mail
> containing viruses, sends a message to the intended recipient to say it
> has done so and a message to the sender,
Sending messages back to the sender isn't necessarily a good idea.
Mailscanner, which can handle both #2 and #3 via various virus scanning
engines, RBL checks, and/or Spam Assassin, has a list of viruses which
it silently deletes (no message to the intended recipient nor the
claimed sender) because there's just no point. Many of the Klez
family, and a few others, forge the sender address and contain no
useful content (as opposed to viruses which attach themselves to some
useful data). So, several of the Klez variants are in Mailscanner's
list to "silently delete".
If you're not doing anything sophisticated on the virus checking side,
then I wouldn't bounce any messages back to the sender. Just filter
out the bad attachment and inform the recipient. Then they can make an
informed decision about whether or not to inform the claimed sender.
Otherwise, I'd use an engine which knows (or can be told) which viruses
it should just delete without further processing.
From: Mark <admin at asarian-host dot net>
Date: Sat, 8 Feb 2003 01:30:16 +0100
Subject: Re: Relaying Denied
At 10:41 AM -0500 2/6/03, Alan Brown wrote:
> As a result, roaming users need to use the MSA port instead of SMTP and
> there are security issues involved with using plaintext SMTP AUTH - as
> in anyone can read the passwords if they happen to be sniffing the
> traffic(*), so you'd better use SSL too.
A chain is as strong as its weakest link. Meaning, that POP AUTH uses
plaintext too, of course; so, unless they use SSL on their POP connections
as well, users should not bank real money on their passwords being
unsniffable.
- Mark
System Administrator Asarian-host.org
---
"If you were supposed to understand it,
we wouldn't call it code." - FedEx
Date: Mon, 10 Feb 2003 06:18:11 +0100
From: Cliff Sarginson <cls at raggedclown dot net>
Subject: A long message on spam and viruses [ was Re: Relaying Denied ]
On Sun, Feb 09, 2003 at 06:41:23PM -0500, Chip Old wrote:
> On Sun, 9 Feb 2003 11:43 -0500, Alan Brown wrote:
>
<abusive message snipped>
> Unfortunately an increasing number of people are doing that, both for worm
> e-mail and spam e-mail. Even worse the practice has actually been
> recommended in various PopTech media. It's incredibly stupid because the
> sender address on virtually all spam and most current worms is forged.
This discussion is confusing spam and viruses which are two seperate
issues.
Spam: The laws on spamming, or the selling of huge "authenticated"
mailing lists, are nowhere stringent enough. It should be made a serious
criminal offence since it amounts to theft. I also have the same view on
cold-calling from companies who find my name in a phone book and try to
sell me something I do not want, that is theft of my time. The forging
of email addresses should be treated as fraud as well. On this subject
however Spam is a great annoyance but will not usually damage anything
except your temper. There are many good spam-trap programs available.
If a spammer uses an open-relay that he has discovered then not only is
he negligent but so is the person running it. If that person knows
enough to set his system up for mail relaying then he has no excuse for
not knowing how to prevent open relaying.
Viruses etc: These are completely different. These are at the least
meant to cause inconvenience and at worst serious, possibly even very
dangerous damage. 99% of the blame for these diseases comes from one
single company, Microsoft. How they have gotten away with selling
software that is so easy to misuse, so easy to break and so easy to
allow the spreading of virii is amazing to me. Since they have made so
little effort to seriously review their programs on this level, and with
the effective monopoly and criminal malpractices they have been invoved
in, they should at least be forced to provide gratis a virus checker
that will be auto-updated without any charge.
On the question of what to do with viruses you are making the false
assumption that every virus you may receive has originated directly from
it's author or his cohorts. After that viruses are spread by people who
have no evil intentions, but may be termed illiterate on the subject.
They send some cool attachment or program they got to their friends, who
spread it to their friends etc etc. This negligence, of not even running
basic virus checking also beggars belief considering the publicity it is
given. This is how viruses spread as well. Not just from the criminal
mind that wrote it, but a lot of innocents on the way.
So what do you do ? If you discard the message silently without
reaction, that is fine if it is from a genuine miscreant. What if it is
from an innocent, who may go on spreading it without knowing he is doing
so. Would it not be a good idea to let him know ?
I don't know the solution to this except I believe the place to halt
viruses is at the ISP level. I can see no other place that coud be more
effective...what action they then take is ... well.. you tell me.
The second thing is to encourage the use of verifiable digital
signatures perhaps.
Whatever. To characterise an information email to someone about a virus
in an email that appeared to be from them, but was not, is quite
possibly a price, among the many others, that has to be paid for being
on the Internet...until it is stamped on and governments take it
seriously. To threaten someone that they will be accused of
mail-bombing, threatening them with legal action for which there is no
applicable law (sending of informational messages about viruses) is
merely pathetic.
Until this problem is solved by any or all of the various measures
mentioned then people will just have to accept that they may get false
reports of them apparently sending viruses. With some effort put into
header and body checking of the mail you receive you should be able to
get a pretty good idea of what these reports look like, and discard them
automatically...I mean it is no different from the checks that Spam
blockers use, just different, highly structured messages.
I think this is a subject to which there is no answer that will make
everyone happy. But if there is going to be a debate about it, although
I am not so sure this is the right place to have it, both sides of it
need to be seen.
As a last thought the abolishing of webmail might be a good start ... :)
> At the least, replying generates large numbers of bounced messages. At
> worst, it floods innocents' mailboxes with messages having nothing to do
> with them. In either case it creates a lot of unnecessary traffic. It's
> a really stupid thing to do!
>
It may be stupid, but as I have pointed out some people may think it is
sensible.
While I think about it I have disabled my virus checker from sending
messages to the sender or "apparent" sender of virus laden mail.
I would point out that I once detected a virus that one of a member of a
huge private mailing list ( that I am on ) had accidentally sent out,
my warning to them all at least got it disinfected before they passed it
on even further to their friends and their friends' friends...
--
Regards
Cliff Sarginson
The Netherlands
[ This mail has been checked as virus-free ]
Date: Mon, 10 Feb 2003 02:37:05 -0500
From: Chuck Yerkes <chuck+qpopper at yerkes dot com>
Subject: expecting SMTP AUTH (Re: Relaying Denied)
Quoting Ken Hohhof (ken at mixedsignal dot com):
> > Why would netscape 4 for Mac choke and not other versions? I think you
> > may be chasing a strawman there.
>
> AFAIK all versions of Netscape 4 have the problem that if AUTH is offerred,
> the client must be configured to authenticate. The only reason I mentioned
> Macs is that Netscape 4 is the most common mail client on Mac OS/8 and
> OS/9. Many Mac users hate Microsoft so much they won't use OE. Now
> with OS/X, Apple has its own mail client which was pretty spartan in version
> 1.1 but is more full-featured in version 1.2.
>
> Regarding dictating to a customer base that they must use SMTP AUTH,
> you must have a captive customer base. If we turned that on one day we
> would get thousands of angry tech support calls and a sizable percentage
but you CAN demand it for remote customers. Eg. if you're coming
from one of my IP addresses, I can allow you through. If you're coming
from "the net", you don't relay without it.
> would switch to another ISP if only out of spite. When you're in a
> commodity
> service business, and all your customers think they know what
> they're doing even if they don't, and they think it's always your
> fault even though it usually isn't, then we can't take the attitude
> "what, are you too stupid to check a box and fill in your username
> and password?"
Switching ISP's is less an option as the festival of small ISPs is
pretty much gone.
And you can approach is as a security thing. As long as you have
an infrastrcture to manage it (https web page to allow password
changes and passwords that aren't the "main" one).
You can take the attitude that: "once you configure your system,
it's automatic" and you can watch logs for a couple months to see
who is *not* using it and offer them help.
Date: Sun, 9 Feb 2003 15:13:32 -0800
From: Randall Gellens <randy at qualcomm dot com>
Subject: Re: confirmation
At 11:29 AM +0100 2/9/03, Cliff Sarginson wrote:
> > DSNs are requested at the SMTP (transport) level, and can result in
>> positive acknowledgment of a message's arrival at the last server
>> (the user's spool). It must be supported by the originating
>> submission program, and all servers in between. It does not indicate
>> if the message was ever downloaded by the user, but it can give a
>> reasonable indication that the message wasn't lost en route.
>>
> Mmm. As you are implying this does expect co-operation all the way down
> the line, plus the co-operation of the end-receiver.
DSNs rely on cooperation from every server en route, including the
final one. To be more accurate, requesting non-default DSN behavior
requires this. By default, most servers generate failure DSNs which
include the full original message. The DSN extension mechanisms
allows the originator to request various non-default behavior, such
as success, relay, or delay DSNs, and can request that only the
headers of the original message be included. In addition, the
extension mechanism allows the originator to supply a unique
identifier which will be included in the DSN. These mechanisms are
great for mailing lists, for example, but could also be handy for
user agents to, for example, indicate to the author the current known
status of the delivery of a message to each recipient (success,
failure, delay, relay). Relay status indicates that the message was
passed to a server which does not support the DSN extensions.
> I personally never
> allow DSN messages .. since I politically disapprove of them (but that
> is another story :) ..
What about them do you disapprove of?
> They can generate a fair amount of more or less
> white-noise email,
have you seen this?
> and are unreliable at best. I don't think they can be
> relied upon as proof of anything very much anyway.
I'm not sure DSNs are ever appropriate as "proof" of anything. Their
reliability is directly related to the proportion of servers that
support them. They can be useful. Certainly a failure DSN is very
useful. A success DSN at least tells you the message made it that
far. A relay DSN doesn't tell you much. No DSN tells you anything
about the disposition of the message, by design.
--
Randall Gellens
Opinions are personal; facts are suspect; I speak for myself only
-------------- Randomly-selected tag: ---------------
You can create your own opportunities this week. Blackmail a
senior executive.
Last updated on 10 Feb 2003 by Pensive Mailing List Admin