# smtp-auth with qmail

## SerfurJ

i've finished this guide: http://www.gentoo.org/doc/en/qmail-howto.xml and now i'm trying to make sure my smtp server is secure.  

i have the following in /var/qmail/control/conf-smtpd:

```
QMAIL_SMTP_AUTHHOST=$(<${QMAIL_CONTROLDIR}/me)

[ -z "${QMAIL_SMTP_POST}" ] && QMAIL_SMTP_POST=/bin/true

QMAIL_SMTP_CHECKPASSWORD="/var/vpopmail/bin/vchkpw"

QMAIL_SMTP_POST="${QMAIL_SMTP_AUTHHOST} ${QMAIL_SMTP_CHECKPASSWORD} ${QMAIL_SMTP_POST}"
```

 so i thought that users would have to use SSL/TLS to send mail from my server.  

when testing this out, i put UseTLS=NO and UseTLSCert=NO in my /etc/ssmtp/ssmtp.conf and tried to send mail from a system on another network.  well it was sent, so the smtp-auth isn't working.

i also tried closing the smtp port (25) on the router because i don't really need an smtp server.  when i closed it, users couldn't receive mail, but when i opened it back up, they could.  so for some reason it needs to be open for users to receive mail.

how do i get smtp-auth working and what is the proper way to disable smtp with qmail?  thanks.

----------

## cadaverus

I can help with half of this.. I use qmail but I can't remember how I set it up except that I *exactly* followed the guide on the gentoo site (which is excellent!!). Umm port 25 is both for incoming / outgoing mail. SMTP servers inter-chat on port 25. So for another mail server to talk to yours you have to have port 25 open, mail sending works the same way.

You could maybe secure it by allowing from the internet and disallowing from internal network..

----------

## SerfurJ

ok, that makes sense.  so after you followed the guide, was authentication required by your smtp server?

did you mean secure it by allowing from the internal network and disallowing it from the internet?

i'd like to get smtp-auth working if possible.

----------

## mobiusproject

 *SerfurJ wrote:*   

> when testing this out, i put UseTLS=NO and UseTLSCert=NO in my /etc/ssmtp/ssmtp.conf and tried to send mail from a system on another network.  well it was sent, so the smtp-auth isn't working.

 

First of all, to get qmail installed you should have had to uninstall ssmtp (which is the config file you just mentioned).  They block each other out on portage, its either one or the other.  Tell me what else you have done/worked with and I might be able to help you out further.  If you really don't want an smtp server at all, you should just be able to rm /service/qmail-smtpd && /etc/init.d/svscan restart

I am also working at getting smtp-auth working with a fresh install of qmail-1.03-r15 and vpopmail-5.4.6-r1 and having a hell of a time getting it to work.  At the moment I can send e-mail through my machine as long I comply with /etc/tcprules.d/tcp.qmail-smtp and don't use a password.  It doesn't matter if I use TLS or not at this point.  I have only done the neccessary tweaking to my config files to make the server work properly (except for smtp-auth of course).

My problem is permissions.  The tcpserver service for smtp is run with the uid for qmaild because of /var/qmail/control/conf-common (QMAILDUID=`id -u qmaild`).  Because of this, it first of all can't read /etc/vpopmail.conf (which is owned by root:vpopmail w/ permissions of 640).

Excerpt from /var/log/mail.log

```
Sep 30 23:07:59 junior vpopmail[17780]: vchkpw-smtp: vpopmail user not found email@address.com:x.x.x.x

Sep 30 23:07:59 junior vpopmail[17780]: vchkpw: can't write MySQL logs
```

If I change the ownership of /etc/vpopmail.conf to qmaild:vpopmail it can at least get into the mysql database w/ the usernames and passwords.

Excerpt from /var/log/mail.log

```
Sep 30 23:09:34 junior vpopmail[17780]: vchkpw-smtp: vpopmail user not found email@address.com:x.x.x.x
```

I am thinking that if I have the smtp server run as vpopmail instead of qmaild it might actually work as its suppose to and find my e-mail address and sent the e-mail out, but haven't tested it yet.

----------

## SerfurJ

 *Quote:*   

> First of all, to get qmail installed you should have had to uninstall ssmtp

 

i wasn't clear.  i was testing it out from another system on another network using ssmtp.

 *Quote:*   

> Tell me what else you have done/worked with and I might be able to help you out further.

 

that's all i've tried.  i followed the directions in the guide.  i'm at a dead end.  what should i try next?

----------

## mobiusproject

Users do not have to use smtp-authentication if you have thier ip address in /etc/tcprules.d/tcp.qmail-smtp.  So, to restrict everyone else but localhost from sending e-mail w/o smtp-auth, your tcp.qmail-smtp should look like this:

```
127.0.0.1:allow,RELAYCLIENT="",RBLSMTPD=""

:allow
```

which allows localhost to send anything (so squirrelmail on the same machine will send everything) and you can receive e-mail sent to your domain.

Making the changed as you have done to /var/qmail/control/conf-smtpd should allow people to use smtp-auth, but I have been unable to get it to work.  But it doesn't force people to use it, it only makes it an option.  The above changes to tcp.qmail-smtp will then force everyone else to authenticate, which forces them to use TLS/SSL.

Thats about as far as I can go at the moment.  At this point from, what I understand, smtp-auth should just be working, but for me it isn't.  It might just work for you though, and I might just be a fluke case (which would be alright, because then I could try again with a fresh install of everything if need be).

I will help you more if I can if you have other issues though.

----------

## SerfurJ

that worked!  thanks.

good luck with your problem.  i would help if i could.

----------

## mobiusproject

Have you tried to use smtp-authentication yet?  And if you have tried it, did it work?

----------

## SerfurJ

i get this message: ssmtp: Authorization failed (535 authorization failed (#5.7.0))

----------

## cadaverus

My server must be open for the internet (for smtp-auth) because it is a internet (only) server; a web host.  This doesn't mean its an open relay, just that everyone *has* to authenticate (preferably securely but I couldn't convince my parter to force the issue I'm afraid)...

----------

## mobiusproject

Its only considered an open relay if you don't need to authenticate and you can send mail through it from anywhere in the world.  So, no, your machine isn't considered an open relay.

Just use the latest qmail (-r15 I believe) which uses TLS (works with all the e-mail clients I have tested) for encryption before authentication.

And for me to get smtp-authentication working (which I finally did) I had to change the no-files group in /var/qmail/control/conf-common to vpopmail (so its able to read /etc/vpopmail.conf for the mysql database) and chmod u+s /var/vpopmail/bin/vchkpw (so it actually work, not sure exactally where the permission problem is, but this fixed it, still trying to find a better solution).

But well, it finally works...

----------

## cadaverus

Yeah I know its not an open relay I tried to spam from it myself and couldn't =)

That procedure of giving setuid sounds familiar.. I think I had one hiccup related to the qmail doc related to that.. But you've just documented it anyways..

----------

