Specific username and password for SMTP authentication
Specific username and password for SMTP authentication
I just moved from ArgoSoft mailserver to hMailserver due to instability on Argo.
I would like the following features in hMailServer.
Make it possible to set a specific username and password for SMTP authotentication in hMailSerer. So the users will not be able to lsend emails using pop3 username and password.
I would like the following features in hMailServer.
Make it possible to set a specific username and password for SMTP authotentication in hMailSerer. So the users will not be able to lsend emails using pop3 username and password.
Last edited by ^DooM^ on 2008-04-14 13:26, edited 2 times in total.
Reason: Added Poll
Reason: Added Poll
PS: I need this because I run a free email service, where the users can sign up directly from web. So I want to disallow them to send out mails via my server using bulk emails and outlook.... this way only allowing them to use the wéwmail, where I can better control how many messages they are sending to how many reciepients!!
Considering to move from MailEnable Standard to hMailserver, for IMAP primarily, I'd like this feature to be added too. ME allows you to set global SMTP authentication, and same as Dan only a number of the 120+ accounts on my present setup need to be able to send through my server.Dan wrote:Yes some users will be able to send out over the server, but only the ones I chose to give the SMTP auth username and password to....
I still have to shrink, to grow up.
Urgofrodel Heul
Urgofrodel Heul
Re: Specific username and password for SMTP authentication
Joining the request. Moved from Mailenable recently and consider that feature to be useful.
Re: Specific username and password for SMTP authentication
Am I missing something here?
Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.
Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.
I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.
Matt
Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.
Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.
I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.
Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Specific username and password for SMTP authentication
Hi Matt,mattg wrote:Am I missing something here?
Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.
Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.
I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.
Matt
Interesting thought, I must say. I'll have to consider it. Thanks.
I still have to shrink, to grow up.
Urgofrodel Heul
Urgofrodel Heul
Re: Specific username and password for SMTP authentication
it sounds plausible, but how do you create a rule to not allow deliveries to an account ? And wouldn't it defeat the purpose of having an account on the server ? And with forwarding, it puts an increased load on the server. Imagine forwarding hundreds of emails and then deleting them, quite a load on CPU, don't you think ? And as for authentication, it wouldn't decrease security at all ? How would it ? One still need to authenticate to relay !mattg wrote:Am I missing something here?
Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.
Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.
I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.
Matt
Re: Specific username and password for SMTP authentication
Purpose of having single username for authentication is not about delivery of email to that account. It is about controling people who can relay through email server.sheck wrote:it sounds plausible, but how do you create a rule to not allow deliveries to an account ? And wouldn't it defeat the purpose of having an account on the server ?mattg wrote:Am I missing something here?
Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.
Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.
I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.
Matt
So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.
Re: Specific username and password for SMTP authentication
That's right, it is so users can relay email without having to have an account on the server.dzekas wrote: Purpose of having single username for authentication is not about delivery of email to that account. It is about controling people who can relay through email server.
So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.
If there is a feature to block all incoming emails on an account and still have it active, then it's useful for the same purpose (at least for the time being).
As for scripts - it's may be possible, but what we are asking is a built-in feature, so people don't have to write scripts to do it.
Re: Specific username and password for SMTP authentication
Umm using rules...sheck wrote:it sounds plausible, but how do you create a rule to not allow deliveries to an account ?
If to equals 'master@domain.com' then delete message
or for forwarding,
Account >> forwarding >>forward message to xxx@domain.com and uncheck the 'keep original message'
No actually. hmailserver handles a very large amount of email. There is very little impact if the mail is forwarded to a local account. I have a number of accounts setup that aren't used in the traditional sense, some for testing, one just so that one user a local address - all his mail is forwarded to an account that he actually checks (and not kept - ie deleted)sheck wrote:And wouldn't it defeat the purpose of having an account on the server ? And with forwarding, it puts an increased load on the server. Imagine forwarding hundreds of emails and then deleting them, quite a load on CPU, don't you think ?
I reckon that if there is a 'known' master key, users won't be afraid to share it, where as if users have to use their own username, they are more likely to be a little more circumspect as to who else knows it. For instance I may share a 'common password' to a mate or two, who then may share them with some more mates etc. My private password won't even be given to my best mate. In fact because I'm an Aussie and my best mate's an Aussie, I would be more likely to give you who I don't know, my personal password - not at all. My best mate would cause trouble with it, just because he is my best mate.sheck wrote:And as for authentication, it wouldn't decrease security at all ? How would it ? One still need to authenticate to relay !
I believe that you as the operator of the sever are going to lose some control over who uses your server as a relay. Someday someone who you didn't give your masterkey to will use it, and you won't know who gave it out.
Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Specific username and password for SMTP authentication
I'd suggest a feature request adding an option to the account record to allow SMTP authentication (or not). Accounts with this option de-selected should not be able to authenticate with SMTP service. It's far better to know who's trying to hack the system than to have a common password in the wild.
Even better, additionally define two passwords that cannot be identical. One for POP3/IMAP and one for SMTP. In case someone get hold of a user's POP/IMAP password they'd still be unable to send mail.
Even better, additionally define two passwords that cannot be identical. One for POP3/IMAP and one for SMTP. In case someone get hold of a user's POP/IMAP password they'd still be unable to send mail.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Specific username and password for SMTP authentication
http://www.hmailserver.com/documentatio ... com_clientdzekas wrote:So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
-
- Normal user
- Posts: 41
- Joined: 2008-04-20 16:15
- Location: UK
Re: Specific username and password for SMTP authentication
I think an option to allow / disallow sending for each account is by far the neatest solution.
It would be nice to be able to specify a different password for SMTP for each account, but this should be optional on a per-account basis.
A single password to authenticate for all accounts sounds like a bad idea.
It would be nice to be able to specify a different password for SMTP for each account, but this should be optional on a per-account basis.
A single password to authenticate for all accounts sounds like a bad idea.
Re: Specific username and password for SMTP authentication
I think that individual SMTP authentication is a must. My web/mail provider must have email/password coincidende in order to to use his SMTP and I cannot send directly because I have a dynamic IP. As I see the comments here there is no trick to send mail via the provider ???
Regards,
Ole
Regards,
Ole
Re: Specific username and password for SMTP authentication
olni, think you've misunderstood the request in this thread. Have you configured hMailServer to use your ISP's server as relay server? If so, can't you just specify the username/password in the SMTP relay settings?
Re: Specific username and password for SMTP authentication
I will never say that I haven't misunderstood something , but:
In the hmailserver I can specify one common user/password (for all the accounts) for using my ISP as relay. However, my ISP (or rather the hosting service for my domain) needs a separate username and password for each account. I would like the hmailserver to receive the emails from the clients (Thunderbird) and pass them on to the ISP, now I have to connect the clients directly to the ISP.
Regards,
Ole
In the hmailserver I can specify one common user/password (for all the accounts) for using my ISP as relay. However, my ISP (or rather the hosting service for my domain) needs a separate username and password for each account. I would like the hmailserver to receive the emails from the clients (Thunderbird) and pass them on to the ISP, now I have to connect the clients directly to the ISP.
Regards,
Ole
Re: Specific username and password for SMTP authentication
> In the hmailserver I can specify one common user/password (for all the accounts) for using my ISP as relay. However, my ISP (or rather the hosting service for my domain) needs a separate username and password for each account.
That's not possible at the moment. But this is not what the feature request in this topic is about. Are you sure that your ISP rejects email if you're using a fixed username/password when sending email?
That's not possible at the moment. But this is not what the feature request in this topic is about. Are you sure that your ISP rejects email if you're using a fixed username/password when sending email?
Re: Specific username and password for SMTP authentication
Totally sure. He checks the from-address and if it is not the right one, i get an error and the mail is not sent. A "bad" solution could be to create one from-address for all the clients and only keep the individual reply-to address.
I don't know if anything can be done using scripting???
Regards,
Ole
I don't know if anything can be done using scripting???
Regards,
Ole
Re: Specific username and password for SMTP authentication
I doubt it. You could probably change the from address, but that would cause bounce-messages to be sent to an incorrect location.I don't know if anything can be done using scripting???
I don't think there's a simple solution to your problem..
Re: Specific username and password for SMTP authentication
SorenR
This sounds like a good Idear yes....
My point in this is that I want to force all but a few select users to use the webmail....
And I dont want the ordinary user to be able to send out emails from Outlook, as using the pop3 username and password would allow any one to send out over my server as long as they have an account.... running a free email servicve that means that any one on the internet can create an account and use the pop3 username and password to spam....
It just happend to me a few weeks ago, I sent 200K spam mails from my server from one account and I was listed in several DNSBLs (still listed in one in polæand cant figure out to get delisted).
BUT YES..... an option PR user level would be better than the global option I suggested.
This sounds like a good Idear yes....
My point in this is that I want to force all but a few select users to use the webmail....
And I dont want the ordinary user to be able to send out emails from Outlook, as using the pop3 username and password would allow any one to send out over my server as long as they have an account.... running a free email servicve that means that any one on the internet can create an account and use the pop3 username and password to spam....
It just happend to me a few weeks ago, I sent 200K spam mails from my server from one account and I was listed in several DNSBLs (still listed in one in polæand cant figure out to get delisted).
BUT YES..... an option PR user level would be better than the global option I suggested.
Re: Specific username and password for SMTP authentication
I totally support this feature. I'm running hMailServer on Windows Server 2003 and use the integrated SMTP Server on a different port for my emails to relay.
Again I offer free email on my website but do not allow any relay unless it comes from localhost (like the webmail software). It would be nice if hMailServer allowed to create a super username and password to allow to relay no matter what. It would obviously be up to the server admin to protect that password and change it as needed, just like a stupid admin could possible open up their server to spam relay.
Again I offer free email on my website but do not allow any relay unless it comes from localhost (like the webmail software). It would be nice if hMailServer allowed to create a super username and password to allow to relay no matter what. It would obviously be up to the server admin to protect that password and change it as needed, just like a stupid admin could possible open up their server to spam relay.
Re: Specific username and password for SMTP authentication
* bump * I'd love to see this option too!
Re: Specific username and password for SMTP authentication
That sounds like a hack. In one piece of the configuration you tell hMailServer that isn't possible and in another piece you say "nevermind". Also, if I implement that I can guarantee that some user will request a feature where you can specify multiple "super" usernames.Again I offer free email on my website but do not allow any relay unless it comes from localhost (like the webmail software). It would be nice if hMailServer allowed to create a super username and password to allow to relay no matter what. It would obviously be up to the server admin to protect that password and change it as needed, just like a stupid admin could possible open up their server to spam relay.
This sounds like a specific scenario where using a script would be better than to implement the functionality in hMailServer.
Re: Specific username and password for SMTP authentication
Well, but how to do it by script?
#1- I can't use "mail from", because it will make it unpossible to send with different identies.
#2- I can't use the client IP-Address because most ("Super")Users do not have a static IP-Address.
#3- ("Super")Users are my familiy and some special friends only. So I trust them to keep the password secret.
At the moment my workaround is to run hMailServer SMTP service on an uncommon port and to disallow relay unless the connection is established by the host where my webmail resides. For regular relay I use ArGoSoft Pro running SMTP service on Port 25 protected by the global password. It works fine, but I was hoping to get rid of the second SMTP relay when hMailServer 5 is out.
I think it is a common problem for all who are running a Webmail Service which allows self-registration. Users sign up by Webmail and they begin to spam using a bulk email client.
May be for others who run hMailServer in a "closed shop" environment it is not even a nice to have, but for me it is essential.
#1- I can't use "mail from", because it will make it unpossible to send with different identies.
#2- I can't use the client IP-Address because most ("Super")Users do not have a static IP-Address.
#3- ("Super")Users are my familiy and some special friends only. So I trust them to keep the password secret.
At the moment my workaround is to run hMailServer SMTP service on an uncommon port and to disallow relay unless the connection is established by the host where my webmail resides. For regular relay I use ArGoSoft Pro running SMTP service on Port 25 protected by the global password. It works fine, but I was hoping to get rid of the second SMTP relay when hMailServer 5 is out.
I think it is a common problem for all who are running a Webmail Service which allows self-registration. Users sign up by Webmail and they begin to spam using a bulk email client.
May be for others who run hMailServer in a "closed shop" environment it is not even a nice to have, but for me it is essential.
Re: Specific username and password for SMTP authentication
> Well, but how to do it by script?
How about checking whether the clients IP address is either 127.0.0.1, or that the authenticated user name is superuser@example.com?
How about checking whether the clients IP address is either 127.0.0.1, or that the authenticated user name is superuser@example.com?
Re: Specific username and password for SMTP authentication
Thanks! Yes, that should work. Think easy! I missed that Client.Username should hold the username transmitted by authentication data, f.e. ...
... and not what is sent by "mail from" ...
Code: Select all
YmVudXR6ZXJuYW1l <----- SUPERUSER
334 UGFzc3dvcmQ6
cGFzc3dvcnQ=
235 Authentication successful
Code: Select all
mail from: someidentity@somewhere.com
Re: Specific username and password for SMTP authentication
I was looking for a setting where to set the SMTP password and couldn't find it, but this Feature Request answered my question.
So everyone with a POP account on the server can send mail though SMTP. This is certainly what you'd want in most cases, although most mail providers have seperate SMTP and POP3 passwords.
So everyone with a POP account on the server can send mail though SMTP. This is certainly what you'd want in most cases, although most mail providers have seperate SMTP and POP3 passwords.