Hey everyone,
We are currently are upgrading our mail system to a new server and
though it was a good idea to integrate qmail with our LDAP system so
users will not need local accounts on our mail server (don't ask why it
was done that way!) We have successfully setup a basic qmail-ldap
system, and have done some preliminary testing - everything works fine,
but are a little confused about something.
Since we only have one mail server, this is what we are trying to
accomplish:
Be able to receive e-mail to our domain plus act as a secondary for a
few others (easily done - no problems here)
Require all users to access mail via imap-ssl (done - using courier IMAP
and authldap)
Require all users to send mail via smtpd-ssl or using TLS or something!
It needs to be secure, and users need to authenticate!
The last point is where we are having difficulties. We need the smtp
server to accept mail for our domain on port 25, but we also need all
users to use SSL and authenticate themselves before sending.
Do we need to have a completely separate install under say /var/qmail1
or is there an easier way to do this? We have searched quite a few docs
and can't seem to get anything concrete.
Any help is appreciated!
Mike

Turbo Fredriksson wrote:
Quoting Mike Lowrie <mlowrie (AT) vendetta (DOT) ca>:


>The last point is where we are having difficulties. We need the smtp
>server to accept mail for our domain on port 25, but we also need all
>users to use SSL and authenticate themselves before sending.
>
>
Just set the variable 'SMTPAUTH="TLSREQUIRED"' (this example require
a TLS connection IN ADDITIN to authentication!).

I do this in the tcp.smtp file:

s n i p
root@aurora# grep SMTPAUTH /etc/tcp.smtp
:allow,QMAILQUEUE="/var/qmail/bin/simscan",LDAPSFTK="Yes",SMTP550DISCNNECT="Yes",SANITYCHECK="Yes",RBL="1",RETURNMXCHECK="Yes",SMTPAUTH="TLSREQUIRED",LGLEVEL="3"
s n i p

I have a qmail-smtpd.rules (which is called by the smtpd run file) in my
/control directory containing this:

s n i p
127.:allow,RELAYCLIENT=""
:allow,SMTPAUTH="TLSREQUIRED",NPBS=""
s n i p

Then in the init script for qmail, I do this:

s n i p
export SMTPAUTH="TLSREQUIRED"
# How many concurrent connections to allow
concurrency_smtp="-c 500"
# multilog - keep 2000 files with 1MB each
keep_size=1000000
keep_count=2000
[]
logger_smtp="| multilog t s$keep_size n$keep_count /var/log/qmail/smtp"
[]
tcprules /etc/tcp.smtp.cdb /etc/tcp.smtp.tmp < /etc/tcp.smtp
[]
/usr/bin/tcpserver -- $concurrency_smtp \
-v -u qmaild -g 65534 -x /etc/tcp.smtp.cdb 0 smtp \
/usr/bin/pbscheck /var/qmail/bin/qmail-smtpd \
2>&1 $logger_smtp &"
s n i p

The SMTPAUTH variable here is just to be VERY
safe that it's set correctly. I can honestly
can't remember which file to put it in now.
It was done a few years ago :)

Mine is similar (I did a slightly different install):

s n i p
tcpserver -v -URl $ME -x$QMAIL/control/qmail-smtpd.cdb \
${CNCURRENCY:+"-c$CNCURRENCY"} ${BACKLG:+"-b$BACKLG"} 0 smtp \
$QMAIL/bin/qmail-smtpd $QMAIL/bin/auth_smtp /bin/true
s n i p

I have have the SMTPAUTH environment variable set in
/service/smtpd/env/SMTPAUTH which is read earlier on in the run script.

I have done some testing which suggests that the above setup works as
planned, but out of curiosity, if mail is being delivered from another
mail server to one of my local users, how is it able to accept without
requiring TLS and SMTPAUTH? Does this setup always allow mail to be
delivered for local domains and require authentication for sending to
non-local domains?

Thanks for your help,
Mike