Email security options

[bodysplit]

I had already posted this on the german forums, but as suggested by BeNe I also make it public here.

After setting up 1.0RC2 and updating it to a more recent nighty, I have stumbled over some problems which might need changes in the future.

I already opened as a ticket are the typos in postfix configs. Hey it is also been fixed already!

Next, courier-auth is sending DIGEST-MD5 and CRAM-MD5 for authentication. I think besides IMAP and POP3, also SMTP is affected (I didn't check if sasl is using courier or MySQL). Anyhow, MD5-based auth doesn't work without a computed hash. ISPCP user creation should be modded according to this info. I personally prefer the generation of a userdb from MySQL as it realy speeds up mail server authentication, at least on my setup.

If MD5-based authentication works, we could kick out clear-text PASSWORD and LOGIN authentication on non-SSL connections, just to make sure a clear-text password is never being used.

Checking communication with several other public mail servers, I also had to find out that my self-signed certificate isn't accepted by some servers. Therefore mail is getting lost. I made it like Google and moved authentication completly to port 587. This said port 25 doesn't give AUTH or STARTTLS any more. 587 has to be used by every customer to send mail out, but it's working realy good. Perhaps it's an idea for 1.1.

Less on security, mailbox quotas aren't implemented per-user. Just like having an option to give every mailbox access to POP/IMAP and anti-virus/spam. I will check these and submit patches if I can.

Last, mail forwards are counted like mailboxes although they should be handled individually just like domain aliases.

Okay, that's it for some real long post.

[joximu]

One point is (seems to me).
Today it's not possible to have a mailbox temporarly act as forward only and then set back to normal mailbox.

So - the forward-being-mailbox is maybe not a bad solution but it should be possible to change from mailbox to forward without removing the mailbox (and all mails in it).
We already had this somewhere in the forum...

/J

[bodysplit]

I think this could be done. You have an alias lookup step and you have a mailbox lookup step. In the typical mysql-postfix howto's you'll find on the net, they mostly have 2 tables, one for the aliases and one for the mailboxes.

I will do some testings and think about the whole setup. At first I will exchange courier with dovecot. Then I will have a look at the delivery thing. The problem is, when we want to change a mailbox to an alias forever, the mail will not be deleted. But one might add an clear mailbox step for this in the web-interface.

This all comes together with mailbox quotas and stuff. I definitly will have a look at all this these days. I realy want to get my hands dirty

[raphael]

Quote:mailbox quotas aren't implemented per-user

mailbox quotas ARE counted in the user's disk usage; but they aren't actually used by postfix

[Cube]

Quote:mailbox quotas ARE counted in the user's disk usage;

Which is quite strange. What do I need to change to disable this?

[bodysplit]

raphael Wrote:

Quote:mailbox quotas aren't implemented per-user

mailbox quotas ARE counted in the user's disk usage; but they aren't actually used by postfix

That's the domain-users setting. I meant the individual email user. My domain owners want to give their users mailboxes with say 20 MB or one 50 MB oder 100 MB. Just like each should have a setting for accessing the mailbox via IMAP or POP. On the other hand, antivirus and antispam could be set on a per-domain basis (set by the resellers).

[raphael]

Quote:What do I need to change to disable this?

hack around the disk usage script of the engine

Quote:My domain owners want to give their users mailboxes with say 20 MB or one 50 MB oder 100 MB

you can do it by writing the proper map to be used (see the main.cf).

[BeNe]

I found this HowTo on the Wishlist --> http://vhcs.puuhis.net/wiki/index.php/Mail_quota

Maybe you can work with it...

Greez BeNe