smtp relay add on?

[Patrick M. Hausen]

I know the difference. As far as I understood there's currently a renaissance of 465/993 among ISPs, because STARTTLS is considered a privacy problem with the initial unencrypted dialog.

 

[rvassar]

I know the difference. As far as I understood there's currently a renaissance of 465/993 among ISPs, because STARTTLS is considered a privacy problem with the initial unencrypted dialog.

Yes, exactly. STARTTLS suffers from MITM, downgrade & referral attacks. But again, the RFC states it is to be transitory, but it doesn't clearly state why. My point, regardless of 567/465, is the OAuth tokens are already in place in your test.

250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH

May become:

250-AUTH LOGIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH

Any day now. And I'm curious if PLAIN-CLIENTTOKEN will be retained.

 

[rvassar]

FWIW - Been sitting here playing with Gmail. They are not accepting PLAIN on 465, regardless of the AUTH statement provided.

 

[Patrick M. Hausen]

Thanks. Back to the OP's problem - as far as I understand he needs to send email to gmail, not necessarily via gmail. So pick any mail account, free or paid, like e.g. web.de ...

 

[georgelza]

thats not exactly plain, you wrapping your connection inside a openssl channel, not exactly something old apps that simple interfaced via port25 could do... but wait, there is more...

@Patrick, I'd still like to take you up on your offer to get a postfix mail server configured as a jail, think for nothing more than being able to send emails via the domain I own will be of value.

and then somewhere along the line figure out why multiple apps in different jails all die during the night...


ok... so sorry for this very sarcastic comment now...

ok. so you go onto your google account, go security, enable 2FA auth.
Once that is done it then presents you with a App Password option.
Select, then Select Generate. select mail from first drop down, then Select Other from the 2nd drop down, give your app a name and click Generate, it will now generate a 16 digit password.
Go back to your app, and change your current password for this 16 digit password and bobs your uncle... all keeps working on port 25 without TLS or StartTLS or anything else.

ha ha ha... got to laugh.

Still going to see and try my hand at getting that emailrelay working with google on the other side, as it seems even they would want this new password.. and it does look like a funky piece of software to have in a toolbox.

G

 

[Patrick M. Hausen]

Create empty jail, make sure networking with VNET, name resolution etc. work. Enable SSH login to jail. I will try that myself today, postfix on OPNsense seems to be broken when client authentication is used for sending and I have a similar collection of UPS and other limited devices.

 

[georgelza]

jail created.
sudo installed
user george added belonging to wheel, and password set
wheel configured authorised to sudo.
strange... when i try ssh it ask me three times for pw and then kicks me out, with error: george@172.16.10.11: Permission denied (publickey,keyboard-interactive).

 

[Patrick M. Hausen]

VNET jail with dedicated IP address? sshd enabled and started? Possibly you are connecting to the NAS host and not the jail.

 

[georgelza]

yes, static ip assigned to the jail,
different from the host. went inside jail and did a ifconfig, confirmed ip is as per I assigned.
sshd service confirmed/running.

G

 

[Patrick M. Hausen]

Does su - george as root inside the jail work?

 

[georgelza]

login resolved. got the jail and can ssh

 

[rvassar]

Not to distract from your jail efforts, but... If I may suggest... Spin up a small VM in a cloud vendor. You can run Postfix in a 1Gb 1vCPU VM. Life is better with 2Gb, but you don't really need it. Several cloud vendors now offer VM's of this size in their "free tier" offering. I pay $5/mo for mine because I refuse to use OCI.

Advantages:
- Static IP with full rDNS PTR capability
- Easy to get LetsEncrypt certs
- Fewer security risks for your home network
- The inevitable SMTP crawler attacks don't use your home bandwidth
- Setup OpenVPN server on your NAS or an RPi, punch a tunnel from the VM back into your house and manage access via UFW, etc.. Setup Postfix to accept email from your required devices via "permit_mynetworks", no passwords needed.

 

[georgelza]

interesting...
OCI ?
good idea, will consider, just careful of the cloud providers and their this is all free, as there is always something you click which is not and they love invoicing you, and with our exchange rate to the $$$ it can be a nasty experience, got the scars.
G

 

[rvassar]

OCI ?

Oracle Cloud Initiative. They offer "always free" tier VM's, and still have some email people guarding their network reputation. But I have issues with OCI that I will not discuss here, so don't take this as a recommendation. Google also has some always free VM's... I don't like them either, hence why I pay $5/mo.

 

[georgelza]

just wanted to make sure we were thinking of the same OCI... I'll be open and confess I'm ex Oracle for many years...
all these big corps have a "something" someone will not like. they all sell you something by not telling you always everything.
G

 

[rvassar]

just wanted to make sure we were thinking of the same OCI... I'll be open and confess I'm ex Oracle for many years...

I'm ex-Sun & 2x ex-Oracle. There will not be a 3x...

 

[georgelza]

where in the world are you ?
South africa for myself.
G

 

[rvassar]

where in the world are you ?
South africa for myself.
G

Austin, Texas. I'm one of the escaped Californians the natives like to complain about.

 

[Patrick M. Hausen]

@rvassar If he only wants to send with SMTP auth, where is the risk? I never recommended running postfix with the SMTP port open to the Internet. Just as an internal smarthost.

 

[rvassar]

@rvassar If he only wants to send with SMTP auth, where is the risk? I never recommended running postfix with the SMTP port open to the Internet. Just as an internal smarthost.

Simple... It very likely won't work. Gmail won't accept his rDNS PTR, he has no DKIM key, no SPF record, Gmail no longer accepts "PLAIN" auth on port 465, and he can't easily present an OAuth2 token (Or can he?). Add to this virtually all residential IP address blocks are listed on various RBL's voluntarily by the ISP's that own them. So he needs another MTA that can satisfy Gmail's requirements and achieve delivery. A free cloud VM is as easy as spinning up Postfix in a VM at home, and you can filter the SMTP port just as easily, making it outbound only, etc... The "permit_mynetworks" bit exposes it to the VPN tunnel and select hosts only, not the open Internet, and even then you filter it so your kid doesn't download a Bot that finds it.

I've been running my own email server since '99 or so.. I don't think too much about having port 25 exposed to the open Internet. You either do it right, or get sent home.