Specific username and password for SMTP authentication

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply

Do you need this feature?

Yes
16
62%
No
10
38%
 
Total votes: 26

Dan
Normal user
Normal user
Posts: 75
Joined: 2008-02-02 19:40

Specific username and password for SMTP authentication

Post by Dan » 2008-03-17 11:45

I just moved from ArgoSoft mailserver to hMailserver due to instability on Argo.

I would like the following features in hMailServer.

Make it possible to set a specific username and password for SMTP authotentication in hMailSerer. So the users will not be able to lsend emails using pop3 username and password.
Last edited by ^DooM^ on 2008-04-14 13:26, edited 2 times in total.
Reason: Added Poll

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2008-03-17 13:17

Why do you need number 1?
Last edited by martin on 2008-03-17 20:36, edited 1 time in total.

Dan
Normal user
Normal user
Posts: 75
Joined: 2008-02-02 19:40

Post by Dan » 2008-03-17 14:38

martin wrote:http://www.hmailserver.com/forum/viewtopic.php?t=2241

Why do you need number 1?
PS: I need this because I run a free email service, where the users can sign up directly from web. So I want to disallow them to send out mails via my server using bulk emails and outlook.... this way only allowing them to use the wéwmail, where I can better control how many messages they are sending to how many reciepients!!

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2008-03-17 20:37

So no-one should be able to send outgoing email from other computers through the server? Or should some be allowed to do it?

westdam
Senior user
Senior user
Posts: 731
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Post by westdam » 2008-03-17 22:16

mmm if I dont remembe wrong in argosoft mailserver PLUS and PRO version you can choose to set up SMTP auth on pop3 username and password or a unique username/psw for the whole server.

when i was on argo i never found usefull... you're the first argo user that need that function...

Dan
Normal user
Normal user
Posts: 75
Joined: 2008-02-02 19:40

Post by Dan » 2008-03-18 09:24

Yes some users will be able to send out over the server, but only the ones I chose to give the SMTP auth username and password to....

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2008-03-18 10:27

Just setup global rules to delete email not originating from specific accounts.

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Post by dzekas » 2008-03-18 14:10

Dan wrote:Yes some users will be able to send out over the server, but only the ones I chose to give the SMTP auth username and password to....
Do you know IP addresses of users that should be allowed to relay emails?

User avatar
urgje
New user
New user
Posts: 26
Joined: 2008-03-18 13:52
Location: The Netherlands

Post by urgje » 2008-03-20 17:13

Dan wrote:Yes some users will be able to send out over the server, but only the ones I chose to give the SMTP auth username and password to....
Considering to move from MailEnable Standard to hMailserver, for IMAP primarily, I'd like this feature to be added too. ME allows you to set global SMTP authentication, and same as Dan only a number of the 120+ accounts on my present setup need to be able to send through my server.
I still have to shrink, to grow up.
Urgofrodel Heul

sheck
New user
New user
Posts: 5
Joined: 2008-04-14 02:14

Re: Specific username and password for SMTP authentication

Post by sheck » 2008-04-14 04:18

Joining the request. Moved from Mailenable recently and consider that feature to be useful.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Specific username and password for SMTP authentication

Post by mattg » 2008-04-14 04:51

Am I missing something here?

Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.

Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.

I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.

Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
urgje
New user
New user
Posts: 26
Joined: 2008-03-18 13:52
Location: The Netherlands

Re: Specific username and password for SMTP authentication

Post by urgje » 2008-04-14 08:32

mattg wrote:Am I missing something here?

Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.

Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.

I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.

Matt
Hi Matt,

Interesting thought, I must say. I'll have to consider it. Thanks.
I still have to shrink, to grow up.
Urgofrodel Heul

sheck
New user
New user
Posts: 5
Joined: 2008-04-14 02:14

Re: Specific username and password for SMTP authentication

Post by sheck » 2008-04-14 10:14

mattg wrote:Am I missing something here?

Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.

Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.

I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.

Matt
it sounds plausible, but how do you create a rule to not allow deliveries to an account ? And wouldn't it defeat the purpose of having an account on the server ? And with forwarding, it puts an increased load on the server. Imagine forwarding hundreds of emails and then deleting them, quite a load on CPU, don't you think ? And as for authentication, it wouldn't decrease security at all ? How would it ? One still need to authenticate to relay !

User avatar
dzekas
Senior user
Senior user
Posts: 2486
Joined: 2005-10-13 21:28
Location: Lithuania

Re: Specific username and password for SMTP authentication

Post by dzekas » 2008-04-14 10:20

sheck wrote:
mattg wrote:Am I missing something here?

Can't you just create a user called 'master@domain.com' and supply the 'master-password' to all users. Users wanting to send could authenticate as 'master', and then send mail as 'user@domain.com'.

Use a rule to not allow deliveries to 'master@domain.com' or simply forward all messages to 'master@domain.com' to 'admin_user@domain.com' and then delete original message.

I've really got to say that I personally reckon that this 'single SMTP authentication' would decrease security though.

Matt
it sounds plausible, but how do you create a rule to not allow deliveries to an account ? And wouldn't it defeat the purpose of having an account on the server ?
Purpose of having single username for authentication is not about delivery of email to that account. It is about controling people who can relay through email server.

So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.

sheck
New user
New user
Posts: 5
Joined: 2008-04-14 02:14

Re: Specific username and password for SMTP authentication

Post by sheck » 2008-04-14 10:28

dzekas wrote: Purpose of having single username for authentication is not about delivery of email to that account. It is about controling people who can relay through email server.

So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.
That's right, it is so users can relay email without having to have an account on the server.

If there is a feature to block all incoming emails on an account and still have it active, then it's useful for the same purpose (at least for the time being).

As for scripts - it's may be possible, but what we are asking is a built-in feature, so people don't have to write scripts to do it.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Specific username and password for SMTP authentication

Post by mattg » 2008-04-14 15:18

sheck wrote:it sounds plausible, but how do you create a rule to not allow deliveries to an account ?
Umm using rules...
If to equals 'master@domain.com' then delete message
or for forwarding,
Account >> forwarding >>forward message to xxx@domain.com and uncheck the 'keep original message'
sheck wrote:And wouldn't it defeat the purpose of having an account on the server ? And with forwarding, it puts an increased load on the server. Imagine forwarding hundreds of emails and then deleting them, quite a load on CPU, don't you think ?
No actually. hmailserver handles a very large amount of email. There is very little impact if the mail is forwarded to a local account. I have a number of accounts setup that aren't used in the traditional sense, some for testing, one just so that one user a local address - all his mail is forwarded to an account that he actually checks (and not kept - ie deleted)
sheck wrote:And as for authentication, it wouldn't decrease security at all ? How would it ? One still need to authenticate to relay !
I reckon that if there is a 'known' master key, users won't be afraid to share it, where as if users have to use their own username, they are more likely to be a little more circumspect as to who else knows it. For instance I may share a 'common password' to a mate or two, who then may share them with some more mates etc. My private password won't even be given to my best mate. In fact because I'm an Aussie and my best mate's an Aussie, I would be more likely to give you who I don't know, my personal password - not at all. My best mate would cause trouble with it, just because he is my best mate.

I believe that you as the operator of the sever are going to lose some control over who uses your server as a relay. Someday someone who you didn't give your masterkey to will use it, and you won't know who gave it out.

Matt
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6308
Joined: 2006-08-21 15:38
Location: Denmark

Re: Specific username and password for SMTP authentication

Post by SorenR » 2008-04-14 16:13

I'd suggest a feature request adding an option to the account record to allow SMTP authentication (or not). Accounts with this option de-selected should not be able to authenticate with SMTP service. It's far better to know who's trying to hack the system than to have a common password in the wild.

Even better, additionally define two passwords that cannot be identical. One for POP3/IMAP and one for SMTP. In case someone get hold of a user's POP/IMAP password they'd still be unable to send mail.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22435
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Specific username and password for SMTP authentication

Post by mattg » 2008-04-16 03:14

dzekas wrote:So the real question is - is it possible to check authenticated user name in hmailserver scripts and to reject users that don't match predefined username.
http://www.hmailserver.com/documentatio ... com_client
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

runningdeere
Normal user
Normal user
Posts: 41
Joined: 2008-04-20 16:15
Location: UK

Re: Specific username and password for SMTP authentication

Post by runningdeere » 2008-04-20 16:25

I think an option to allow / disallow sending for each account is by far the neatest solution.
It would be nice to be able to specify a different password for SMTP for each account, but this should be optional on a per-account basis.
A single password to authenticate for all accounts sounds like a bad idea.

olni
New user
New user
Posts: 3
Joined: 2008-05-30 18:46
Location: Móstoles, Spain

Re: Specific username and password for SMTP authentication

Post by olni » 2008-05-31 13:02

I think that individual SMTP authentication is a must. My web/mail provider must have email/password coincidende in order to to use his SMTP and I cannot send directly because I have a dynamic IP. As I see the comments here there is no trick to send mail via the provider ???

Regards,

Ole

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Specific username and password for SMTP authentication

Post by martin » 2008-05-31 20:42

olni, think you've misunderstood the request in this thread. Have you configured hMailServer to use your ISP's server as relay server? If so, can't you just specify the username/password in the SMTP relay settings?

olni
New user
New user
Posts: 3
Joined: 2008-05-30 18:46
Location: Móstoles, Spain

Re: Specific username and password for SMTP authentication

Post by olni » 2008-05-31 20:50

I will never say that I haven't misunderstood something :D , but:

In the hmailserver I can specify one common user/password (for all the accounts) for using my ISP as relay. However, my ISP (or rather the hosting service for my domain) needs a separate username and password for each account. I would like the hmailserver to receive the emails from the clients (Thunderbird) and pass them on to the ISP, now I have to connect the clients directly to the ISP.

Regards,

Ole

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Specific username and password for SMTP authentication

Post by martin » 2008-05-31 20:58

> In the hmailserver I can specify one common user/password (for all the accounts) for using my ISP as relay. However, my ISP (or rather the hosting service for my domain) needs a separate username and password for each account.

That's not possible at the moment. But this is not what the feature request in this topic is about. Are you sure that your ISP rejects email if you're using a fixed username/password when sending email?

olni
New user
New user
Posts: 3
Joined: 2008-05-30 18:46
Location: Móstoles, Spain

Re: Specific username and password for SMTP authentication

Post by olni » 2008-05-31 21:06

Totally sure. He checks the from-address and if it is not the right one, i get an error and the mail is not sent. A "bad" solution could be to create one from-address for all the clients and only keep the individual reply-to address.
I don't know if anything can be done using scripting???

Regards,

Ole

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Specific username and password for SMTP authentication

Post by martin » 2008-05-31 21:10

I don't know if anything can be done using scripting???
I doubt it. You could probably change the from address, but that would cause bounce-messages to be sent to an incorrect location.

I don't think there's a simple solution to your problem..

Dan
Normal user
Normal user
Posts: 75
Joined: 2008-02-02 19:40

Re: Specific username and password for SMTP authentication

Post by Dan » 2008-06-06 19:09

SorenR

This sounds like a good Idear yes....

My point in this is that I want to force all but a few select users to use the webmail....
And I dont want the ordinary user to be able to send out emails from Outlook, as using the pop3 username and password would allow any one to send out over my server as long as they have an account.... running a free email servicve that means that any one on the internet can create an account and use the pop3 username and password to spam....

It just happend to me a few weeks ago, I sent 200K spam mails from my server from one account :-( and I was listed in several DNSBLs (still listed in one in polæand cant figure out to get delisted).

BUT YES..... an option PR user level would be better than the global option I suggested.

LJKelley
New user
New user
Posts: 2
Joined: 2008-10-30 11:44

Re: Specific username and password for SMTP authentication

Post by LJKelley » 2008-10-30 11:52

I totally support this feature. I'm running hMailServer on Windows Server 2003 and use the integrated SMTP Server on a different port for my emails to relay.

Again I offer free email on my website but do not allow any relay unless it comes from localhost (like the webmail software). It would be nice if hMailServer allowed to create a super username and password to allow to relay no matter what. It would obviously be up to the server admin to protect that password and change it as needed, just like a stupid admin could possible open up their server to spam relay.

rosali
Normal user
Normal user
Posts: 101
Joined: 2008-01-13 18:32

Re: Specific username and password for SMTP authentication

Post by rosali » 2009-01-26 14:57

* bump * I'd love to see this option too!

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Specific username and password for SMTP authentication

Post by martin » 2009-01-26 15:32

Again I offer free email on my website but do not allow any relay unless it comes from localhost (like the webmail software). It would be nice if hMailServer allowed to create a super username and password to allow to relay no matter what. It would obviously be up to the server admin to protect that password and change it as needed, just like a stupid admin could possible open up their server to spam relay.
That sounds like a hack. In one piece of the configuration you tell hMailServer that isn't possible and in another piece you say "nevermind". :) Also, if I implement that I can guarantee that some user will request a feature where you can specify multiple "super" usernames.

This sounds like a specific scenario where using a script would be better than to implement the functionality in hMailServer.

rosali
Normal user
Normal user
Posts: 101
Joined: 2008-01-13 18:32

Re: Specific username and password for SMTP authentication

Post by rosali » 2009-01-26 16:06

Well, but how to do it by script?

#1- I can't use "mail from", because it will make it unpossible to send with different identies.
#2- I can't use the client IP-Address because most ("Super")Users do not have a static IP-Address.
#3- ("Super")Users are my familiy and some special friends only. So I trust them to keep the password secret.

At the moment my workaround is to run hMailServer SMTP service on an uncommon port and to disallow relay unless the connection is established by the host where my webmail resides. For regular relay I use ArGoSoft Pro running SMTP service on Port 25 protected by the global password. It works fine, but I was hoping to get rid of the second SMTP relay when hMailServer 5 is out.

I think it is a common problem for all who are running a Webmail Service which allows self-registration. Users sign up by Webmail and they begin to spam using a bulk email client.

May be for others who run hMailServer in a "closed shop" environment it is not even a nice to have, but for me it is essential.

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: Specific username and password for SMTP authentication

Post by martin » 2009-01-26 16:10

> Well, but how to do it by script?

How about checking whether the clients IP address is either 127.0.0.1, or that the authenticated user name is superuser@example.com?

rosali
Normal user
Normal user
Posts: 101
Joined: 2008-01-13 18:32

Re: Specific username and password for SMTP authentication

Post by rosali » 2009-01-26 17:16

Thanks! Yes, that should work. Think easy! I missed that Client.Username should hold the username transmitted by authentication data, f.e. ...

Code: Select all

YmVudXR6ZXJuYW1l <----- SUPERUSER
334 UGFzc3dvcmQ6
cGFzc3dvcnQ=
235 Authentication successful
... and not what is sent by "mail from" ...

Code: Select all

mail from: someidentity@somewhere.com

DigDug
New user
New user
Posts: 21
Joined: 2020-12-04 19:46

Re: Specific username and password for SMTP authentication

Post by DigDug » 2021-07-20 18:20

I was looking for a setting where to set the SMTP password and couldn't find it, but this Feature Request answered my question.

So everyone with a POP account on the server can send mail though SMTP. This is certainly what you'd want in most cases, although most mail providers have seperate SMTP and POP3 passwords.

Post Reply