From thread viewtopic.php?f=7&t=35680 i digressed from the topic of SSL problems to configuring security and authentication in general, more so specific to the setup for Port 25 for server to server communication whilst maintaining best practice security.
Continuing from the above thread:
I'm still missing something...port 25 must be enabled (mandatory) but authenticating must not be mandatory. We advise disabling authentication on port 25 completely as server to server comms will always be unauthenticated, and authenticated communication should be via (probable) port 587. (So, if someone is attempting to authenticate o port 25 they are likely to be undesirable.)
As far as I am aware, connection security is separate to authentication and I have setup hMailServer accordingly.
- TCP/IP port 25 SMTP Connection Security STARTTLS (Optional). So use of SSL/TLS should be optional. i.e. a secure connection is optional.
- IP Ranges typical configuration:
- Require SSL/TLS for authentication (i.e. do not authenticate on an insecure connection)
- Require SMTP authentication on External to local e-mail addresses = false.
- Require SMTP authentication on Local to external or local e-mail addresses = true
- Allow deliveries for external to external e-mail addresses * = false
- another mail server may submit external mail without authenticating;
all of my clients must authenticate in order to send emails;
my server will not act as a relay (external to external)
my server will only accept local emails and emails to/from local
Maybe I have misinterpreted all of the settings but I cannot see where one could follow your advice. There is no option to disable authentication on an individual port configuration. There is only the ability to enable secure connection.
All of my inbound email (that which I receive which is also what I expect) comes from secure connections on port 25 using STARTTLS.
I'm not keen to open up connectivity to all of those rogue connection attempts just to see what they might send me.
Would you care to clarify the terminology you are using and advise whether my settings as described above are compliant?
Thanks and BTW thanks for the previous replies - quite a quick turn around.