Thu 07 Aug 2003
Category : Technology/sial.org.txt
I'd like to say a thank you to Jeremy Mates. His notes, plus the hefty sendmail "bat" book from O'Reilly, have been my constant companions these last few days. If people ever do get a one-click Sendmail Enabler with SMTP-AUTH plus STARTTLS, you know where the good stuff came from.
Why not write directly? Now, from my own experience, you get tons of mail when you put up stuff like these - things that border on the arcane. Some of the questions come from so far out, it frightens me the number of cycles I've got to use to process it. If I've read the queries and comments following the James Duncan Davidson article at MacDevCenter, I may never have dared put this up on versiontracker. I wrote to Duncan Davidson just to thank him. I never got a reply and I don't blame him. After countless such messages about problems running sendmail, I don't blame anyone for running for the hills. Talk about DontBlameSendmail.
Category : Technology/smtp-suth.txt
I'm just re-surfacing after diving into the murky depths of the beast. For there is no other name for sendmail. It's a beast of a system.
But I'm amazed I could even compile sendmail from source. So, now I've got a version of sendmail with smtp-auth that works. And I know how to put that in, in place of the stock sendmail version that comes with OS X, and also how to take it out.
And I also know enough how to put in Postfix, swap out sendmail, and do the reverse.
And, I can confirm that the version of the pop server I bundle with Sendmail Enabler does SSL. I'm still having some problems with the Airport Extreme Base Station, but it works beautifully when it's sitting behind the original base station. If I can figure out how to set up the certification stuff with just one click, you can pull your mail down from the POP server under SSL
So, a summary. Even though I can do smtp-auth, I'm wondering what's the point? It was meant to make sure that people on the move can always get back to the home server to send out mail, because that's what smtp-auth does - it authenticates the user before authorising the user to send mail. But, if you make authentication a requirement (otherwise it makes no sense to have it), it creates a downside - this server can now only send mail out. Another mail server that is trying to send mail to this server probably won't know how to authenticate itself to this server. So you end up having to set up two servers, one for sending out mail and another for receiving mail.
But with Sendmail Enabler, people on the move can enable sendmail on their PowerBooks to send mail out themselves. They only need to go to their home server to receive their in-coming mail. For added security, this takes place under SSL so that all the communication is encrypted. They've always had to authenticate themselves anyway when they're retrieving mail.
So, I believe that's the optimal solution. Freed from the need to act as a relay for roaming users, the home server can be set up with the tightest of security, including a variety of strategies for blocking spam. Also, you get a freer hand to tie the workings of the mail server with back-office e-commerce applications - there are variety of hooks in sendmail to do that - since most of the users are sending mail out directly from their own workstations.
I had a concern that Sendmail Enabler could have made it even easier for spammers to equip themselves with their own spamming engine. But, if you free your mail server from having to relay anything from outside your local network, you cut off one source of free bandwith for the spammers. You can't stop them from trying, but at least they're being pushed back to use their own bandwidth. You can, however, put in all the blocks you can muster to kick them out before they can even come into your network. And you can do it better if you don't have to make allowances now and then to let in one of your own guys to use the mail relay. If this works, Sendmail Enabler could have changed the rules of the game - at least for the Mac-speaking world.