======================================================================= smtpauth 0.94 - Authenticating proxy for servers without SMTP AUTH Copyright (C) 2004, Jem E. Berkes ======================================================================= Using 'smtpauth' and 'stunnel' programs to add SMTP AUTH (PLAIN, LOGIN) support to any SMTP server. Clients can authenticate over SSL port 465 or cleartext port 587, and authentication is fully logged via syslog. Works with JBMail, Pegasus Mail, Mozilla Thunderbird, MS Outlook... This software is really an interim solution until our favourite MTA(s) support SSL/TLS and SMTP AUTH directly. For now I prefer using external programs to provide this functionality rather than patching MTA source. smtpauth does not have to run in conjunction with stunnel, but it is recommended. You could also use smtpauth for cleartext only, with inetd. ============================ 1. Compile and install binary. make Copy 'smtpauth' to /usr/sbin, owned by root, mode 755 ============================ 2. Create special user 'smtpauth' with its own group, no login allowed. Note that smtpauth will immediately exit with an error if invoked as root. It must be run from a low privilege account, for security. ============================ 3. [For SSL, port 465] Configure stunnel.conf. Change 'domain' for your site. setuid = smtpauth setgid = smtpauth debug = auth.notice client = no [smtps] accept = 465 exec = /usr/sbin/smtpauth execargs = smtpauth domain 127.0.0.1 ============================ 4. Configure /etc/smtpauth.conf This file should only be readable by the smtpauth user, since it stores plain passwords. It consists of single lines containing usernames and passwords with whitespace separating. Blank lines and comment lines starting # are ignored. user1 pass1 user2 pass2 ============================ 5. [For SSL, port 465] Start up stunnel This will create a server running as smtpauth on port smtps/465. When SMTP clients connect (SSL/TLS) the smtpauth program is launched and provides authentication service through to 127.0.0.1:25, as a proxy. Your actual SMTP server will accept mail because that connection is local. The mail headers will include X-SMTP-AUTH indicating the username. Success and failures will be logged via syslog. ============================ 6. [For cleartext, port 587] Configure cleartext submission service in inetd Since inetd (when started with -W) also supports wrapping, the smtpauth proxy can be run straight out of here too. Note that this is somewhat risky, because there will be no SSL/TLS encryption on the submission port (587). Again, change 'domain' for your site (e.g. mail.yoursite.tld) submission stream tcp nowait smtpauth /usr/sbin/smtpauth smtpauth domain 127.0.0.1 ============================