# SMTP password



## Understudy (Jul 12, 2013)

Hi,

I recently set[]up a mail server using this guide: http://www.purplehat.org/?page_id=4. I can access the webmail via _R_oundcube. And all appears to work properly (slowly but properly). I would like to set _it_ up on _T_hunderbird. I have the mail server name, I have a user and name for webaccess. However I cannot seem to recall where I was asked for an SMTP password. So my question is where do you usually put the SMTP password?

Sincerely,

Brendhan


----------



## quintessence (Jul 12, 2013)

Hello,

In this guide saslauthd is used for authentication, so if your Thunderbird is outside IP addressed from the permit_mynetworks directive, when you use your local mail client, you have to use your username and password to authenticate when trying to send emails via your outgoing SMTP host.

Also check your settings for saslauthd about -r -a pam flags in /etc/rc.conf.


----------



## ShelLuser (Jul 12, 2013)

Just to complete the hints; of course there's also nothing stopping you from simply adding your public IP address to the mynetworks directive in the Postfix main.cf configuration file. That will tell Postfix to allow incoming relays from that IP address, so then you don't need to authenticate using Thunderbird.


----------



## wblock@ (Jul 12, 2013)

Won't that make a public open relay, though?


----------



## ShelLuser (Jul 12, 2013)

wblock@ said:
			
		

> Won't that make a public open relay, though?


No, it only allows relaying for connections which originate from that specific IP address.

Of course care needs to be taken how you set it up; you should always specify a netmask of /32 so that you limit your entry to one single IP address and don't accidentally add a whole netblock.

I'm very sure about the relay part by the way; I'm using this same setup myself. Both my home network as well as my parents use my companies SMTP server. Fortunately for me my cable connection assigns me an IP address which hardly changes.

But when it does I can notice it right away, because from that point on I can no longer sent nor receive any e-mails. So definitely not an open relay.


----------



## Understudy (Jul 12, 2013)

The responses have opened up more questions. I travel quite a bit. I am in one hotel or another. So I would expect to be able to access it from anywhere. Just like I currently do with my other emails. This is the first time I have setup my own physical server so this learning curve is giving me more insight. 

I want to be able to access my email via Thunderbird no matter where I am. Even on the *W*i*F*i of some fast food place. I have the domain register, the *DNS* is set and port 25 works. I want to be able to reply from anywhere as mentioned above. So what is the best way to handle this?

Sincerely,

Brendhan


----------



## ShelLuser (Jul 13, 2013)

Understudy said:
			
		

> I want to be able to access my email via Thunderbird no matter where I am. Even on the *W*i*F*i of some fast food place. I have the domain register, the *DNS* is set and port 25 works. I want to be able to reply from anywhere as mentioned above. So what is the best way to handle this?


Then password authentication is the better approach.

Obviously it's not doable to add the IP address of every location you'll be. And even if it was it wouldn't be preferable because if you'd add the public IP address of a hotel to your SMTP server you'd basically give everyone in the hotel access to it.

So in this case you'd need to leave port 25 (SMTP) and 110 (POP3) or 143 (IMAP) open in your firewall, set it up so that your mailserver accepts authentication and you should be home free.

One important suggestion though: make sure to set up OpenSSL and either create a certificate for yourself or create a request for one after which you can buy one online. The reason should be obvious: this kind of traffic (SMTP, POP3 or IMAP) is basically plain text.

So if you're at a hotel nicely logging onto your server while not using SSL (encryption) then you're basically providing others with your exact logon information. Not the best approach if you want to keep your e-mails private.


----------



## Understudy (Jul 13, 2013)

ShelLuser said:
			
		

> Then password authentication is the better approach.
> 
> Obviously it's not doable to add the IP address of every location you'll be. And even if it was it wouldn't be preferable because if you'd add the public IP address of a hotel to your SMTP server you'd basically give everyone in the hotel access to it.
> 
> ...



That was my basic thought process. However the details are what is going to matter. As I mentioned. I used the FreeBSD Purplehat setup. This was my first time doing this so the learning curve has been steep with several crashes. However I believe there is a certificate in place. When I did the setup I followed through the process and made some adjustments as I needed to with the more current versions. However saying I was in a bit over my head would be correct. 

So what adjustments would I need to make to be able to do the _SMTP_ and _SSL_ authentication?

Sincerely,

Brendhan


----------



## ShelLuser (Jul 13, 2013)

Understudy said:
			
		

> However I believe there is a certificate in place. When I did the setup I followed through the process and made some adjustments as I needed to with the more current versions. However saying I was in a bit over my head would be correct.
> 
> So what adjustments would I need to make to be able to do the _SMTP_ and _SSL_ authentication?


Not to worry, this stuff has been rough for most of us at the beginning. And even if you already do have some experience in this field it can still end up rough when you're going to use something else (I still remember the pain when I started using Exim (a mailserver such as Postfix or Sendmail)).

Anyway, I think I may have been a little unclear up there; SSL isn't so much an authentication mechanism on its own. It's merely used to secure the communication between your mailprogram (the client) and Postfix (the server).

So basically you'd first setup SMTP authentication; this allows SMTP clients to authenticate themselves after which the server will accept e-mails from them which aren't destined for the local server itself. In a normal situation an SMTP server only accepts e-mails which are addressed to recipients which it knows about.

Then you can set up your SMTP server to use SSL. This will provide clients another way to communicate with the server, instead of using plain text the connection will get encrypted so that anything sitting between the client (your mailprogram) and the server cannot listen in on the conversation.

I hope an example might make things easier to understand for you.. Let's say I want to sent an e-mail on the commandline. I could use a program like mutt or mail. I can also talk to my mailserver directly:


```
smtp2:/home/peter $ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
[I]220 smtp2.xxx.com ESMTP Postfix[/I]
helo localhost
[I]250 smtp2.xxx.com[/I]
mail from: root@localhost
[I]250 2.1.0 Ok[/I]
rcpt to: peter@localhost
[I]250 2.1.5 Ok[/I]
data
[I]354 End data with <CR><LF>.<CR><LF>[/I]
Subject: This is a locally generated / made email
Hello World, errr, Peter! :-)
.
[I]250 2.0.0 Ok: queued as D11BD1084C[/I]
quit
[I]221 2.0.0 Bye[/I]
Connection closed by foreign host.
smtp2:/home/peter $
```
And that's what I meant with plain text up there. The whole conversation between client and server is nothing more but a stream of ASCII text.

Now; if you have authentication set up you'd also see commands like AUTH and such passing through:


```
smtp2:/home/peter $ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 smtp2.xxx.com ESMTP Postfix
helo localhost
250 smtp2.xxxx.com
auth login
334 VXNlcm5hbWU6
cgV5aDqMp3=
334 UGFzc3dvcmQ6
MMOkcaDmbA==
235 2.7.0 Authentication successful
quit
221 2.0.0 Bye
```
And although everything after auth login may look like encrypted mumbo-jumbo, it's actually merely a so called "base64 encoding" (see MIME::Base64(3) if you want to know more). Worse yet: it's also easily decoded. Let's see what the server was asking when it replied with 334 UGFzc3dvcmQ6:


```
smtp2:/home/peter $ perl -MMIME::Base64 -e 'print decode_base64("UGFzc3dvcmQ6");'
[B]Password:[/B]smtp2:/home/peter $
```
(and before anyone asks: I know better than to share a valid username / password, even though I removed the actual domain ).

So as you can see; that's why its better to use SSL to provide encryption whenever you're going to use authentication on your SMTP server. Not so much to provide another way to authenticate, but to provide a _safer_ way to authenticate.

Hope this can help to clear things up for you.


----------



## Understudy (Sep 26, 2013)

First and foremost my apologies for the delay in replying. I have been on the road. I am slowly beginning to get a very basic understanding about what you talk about. 

With the 334 VXNlcm5hbWU6, basically the next thing I do is put in the a email and then with the next one I put in a password. Is that correct?


----------

