My brain hurts. No really. Being a true paranoid about all things security related, I decided to
lock down the email server for the outside people who will be sending mail through it. Why? Well. In order to prevent
being an Open Relay, we want to require passwords
from people who want to send out email from our email server. These people will also be logging in
using POP3
or IMAP to fetch their email.
So what’s the problem? Well, everytime you log in to a POP3 or IMAP server to fetch your email, or log in to an SMTP server to
send mail (assuming that SMTP server requires a password to send mail),
you are sending your password in plain text, unencrypted for the whole world to see! Not good.
What’s the solution? Why
SSL/TLS of course!
And the nice part is, you don’t have to fork cash over to Verisign just to get SSL certificates.
Become your own CA!
Now, with the help of some HOW-TO docs on the net and a handy firewall or two, all external persons we wish to allow to send outgoing email
must use IMAP over SSL (IMAPS), POP3 over SSL (SPOP3), or TLS over SMTP in addition to their usual user names and passwords. Way cool, but not exactly easy.
Here’s a list of links that got me through it without killing someone or throwing a server out of the window: