SMTP authentication via key instead of username/password

General discussions and other topics.
3 posts Page 1 of 1
by lr » Mon Jul 16, 2018 10:17 am
We have a private domain registered and served by Sonic. Which implies that all outgoing mail goes through mail.sonic.net, which works excellently. Typical laptops use various mail programs (such as Apple Mail on a Mac), and they all store a Sonic username (such as "lr") and a password. I trust modern OSes to store the password securely enough.

My current question is the server at home, which uses a normal Unix-style OS; in our case FreeBSD instead of the more common Linux, but that makes no difference. It also sends emails, although very rarely, it doesn't relay for other machines at home. To send e-mail, I have the username and password for the Sonic "lr" account, stored in cleartext (!) in the configuration file for the outgoing MTA (in our case ssmtp or OpenSMTPD). Admittedly, that is sort of secure: the configuration file is only readable by root, and if a hacker can become root on my server at home, I have big problems anyway. Still, it bugs me to have our Sonic password in cleartext stored in a file. It also bugs me that the username password are going in cleartext (or just base64 encoded) over the wire.

It should be possible to encode that username/password in a key or certificate, and present that key/certificate to Sonic for authentication, right? I spent a little while reading about it, and haven't found a clear guide on how to do that. Sonic's own documentation doesn't go down to that level, it is more about setting up a desktop mail program.

I'm not even sure that Sonic's outgoing mail server would support that: Here is a log from a manual session talking to the mail server:

Code: Select all

> telnet mail.sonic.net 587
Trying 64.142.7.162...
Connected to mail.sonic.net.
Escape character is '^]'.
220 mail.sonic.net ESMTP [d]
EHLO house.lr.los-gatos.ca.us
250-d.mail.sonic.net Hello [47.155.141.100], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 35882577
250-DSN
250-AUTH PLAIN LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP
If I read that ESMTP response correctly, it seems that Sonic only supports "plain" and "login" authentication.

Some hints, please?
Linda and Ralph and John; 735 Sunset Ridge Road; Los Gatos, CA 95033; 408-395-1435
by kgc » Mon Jul 16, 2018 11:31 am
"also bugs me that the username password are going in cleartext" -- they aren't, connections are secured either with implicit or explicit SSL.

You could use a mailbox user explicitly for the purpose of SMTP auth for your server.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by lr » Mon Jul 16, 2018 1:06 pm
Thanks for reminding me that ports 465 and 587 use SSL, one worry less.

Use a mailbox user? Cool idea; give that thing a throwaway password, sotre no valuable information in their mail inbox, and then the possible damage is limited to an attacker that gets their password sending some e-mail, which is survivable. Thanks!
Linda and Ralph and John; 735 Sunset Ridge Road; Los Gatos, CA 95033; 408-395-1435
3 posts Page 1 of 1

Who is online

In total there are 22 users online :: 0 registered, 0 hidden and 22 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 22 guests