betabug... Sascha Welter

home english | home deutsch | Site Map | Sascha | Kontakt | Pro | Weblog | Wiki

19 April 2007

Mail out from GPRS or from... anywhere

Complicated but recommended mails setup

Since I still haven't got ADSL at the new appartment [1], I rely again (as in old times on Limnos) on a GPRS connection through my mobile phone to receive and send mail. Hmm, that "send mail" part is actually the interesting bit. Nowadays it can be hard to actually send mail when you're not in any "normal" Internet situation. For example: spam blocks on dynamic ranges of IPs let many mail servers not accept mail from my GPRS connection, while other mailservers do greylisting and that is inconvenient when you're relying on short timed and expensive connections [2]. But there is one setup that is almost guaranteeing that you get your mail out...

It's complicated and voluminous though: I went and set up STARTTLS and SMTP AUTH on my server (running sendmail), then went and set up the same on my MacBook (with postfix). That way I'm sending out mail exclusively through my own mail server, so I can control access and let the server handle the heavy lifting to talk to other servers. Here are a few notes.

For sendmail on openbsd: To set up STARTTLS, the starttls(8) manpage will take you by the hand and walk you through the necessary steps. It's easy enough. Setting up SMTP AUTH involves two steps, first installing and configuring the cyrus-sasl port, then recompiling sendmail given the WANT_SMTPAUTH=Yes environment variable and reconfiguring that. I'm not going to write another howto on this. I'd like to mention though that I enjoyed the option to have SASL authenticate against my IMAP server -- like that I don't have to set up yet another set of logins, or use system passwords (I don't like to mix ssh logins with mail logins).

Postfix on Mac OS X wasn't too hard either. Again howto's abound on the web. Whenever I have to configure postfix I think how funny it is that postfix users claim the configuration is easier than sendmail's, when in the end you have config files with tons and tons of almost similar options -- so you have to look everything up anyway. Never mind, it worked with minimal fuss.

Last step was -- of course -- to check that my server config is still locked tight and no relay was opened by mistake.

So in the end postfix and sendmail encrypt their SMTP connection, postfix authenticates at sendmails end, where SASL hands over the password to uw-imap for authentication. All that in order to simply send a couple of mails now and then.

1: Hey Vivodi, don't you think it's about time to get your act together? This game starts to get boring.
2: Yahoo... I had tried for almost an hour to send a mail to a yahoo customer. They do greylisting nowadays. But they have a ton of MX servers, so my laptop's mail server tried to contact another one for each retry and never got around the greylisting.

Posted by betabug at 16:13 | Comments (1) | Trackbacks (0)
ch athens
Life in Athens (Greece) for a foreigner from the other side of the mountains. And with an interest in digital life and the feeling of change in a big city. Multilingual English - German - Greek.
Main blog page
Recent Entries
Best of
Some of the most sought after posts, judging from access logs and search engine queries.

Apple & Macintosh:
Security & Privacy:
Misc technical:
Athens for tourists and visitors:
Life in general:
<< Underground | Main | Preparations and Adaptors >>
Re: Mail out from GPRS or from... anywhere

I use SMTP-TLS too with a Postfix "client" on my MacBook Pro and a Postfix MTA that relays my mail after checking that my MacBook Pro's X509 v3 certificate is valid and that is listed in the authorized client certificates map.
I also force the allowed algorithms like this:
smtp_tls_cipherlist = DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA

But sometimes, I have to use a workaround that involves setting up an SSH tunnel to the MTA because some of the ISPs redirect automatically your mail and without any prior notice through a "transparent" MTA on their network. When this happens, you can see it very quickly when you realize that mail is stuck in the queue of the client and checking your MTA's logs which will tell you that either the client (the ISP's MTA that pretends to be the real client) didn't offer SMTP-TLS or didn't show a valid certificate.

Posted by: Saad Kadhi at April 21,2007 21:23
You can trackback to:
There are no trackbacks.