Made by KUSPBV
Sendooway
... is a multi-user and multi-target SMTP proxy that acts as smarthost.

Return to: Sendooway's website

Securing any existent mail server with SMTP AUTH

There are a lot of great MTA/MDA combinations out there. Personally, I prefer qmail because it is easy to configure and seems secure. Whereas most modern mail transfer agents already support SMTP AUTH, qmail does not (at least without patching the source). Sendooway can be used to authenticate SMTP users before they are allowed to use qmail or the MTA of your choice. This howto shows how to do it.
Warning: Sendooway is currently in pre-alpha state and probably full of bugs. This howto is only meant for information on Sendooway's getmail-integration, but you should not use it in production environments. Also note, that some features of Sendooway are not yet implemented or might change in near future (e.g. naming of configuration keywords or command-line switches).

We'd be very happy if you give us feedback on Sendooway through our mailing list. Of course, and if you want, you can also participate (e.g. code, spell-check ...).

Step 0: Present setup

We assume you already have a mail transfer agent installed. It does not matter whether you use qmail, sendmail, postfix, Exim or any other MTA, because they do not need to be reconfigured; however, you should know how to change the port your MTA is listening for incoming connections. In this example we use iptables to hide your old MTA and let clients connect to Sendooway.

Step 1: Compile Sendooway

Download the latest Sendooway snapshot from http://www.kuspbv.de/sendooway/, unpack and configure it. The following should work for you:
alice@localhost:~$ \
  tar xzf sendooway-*.tar.gz && \
  cd sendooway-*/ && \
  ./configure --prefix=/usr --sysconfdir=/etc
If configure stops because of missing dependencies, you can try using the --without-gnutls option; however we absolutely recommend installing GnuTLS instead, because some mail providers (like Googlemail) refuse to accept unsecured connections.

After configuring the source code, compile and install it:

alice@localhost:~$ \
  make && \
  sudo make install
Compilation should process without errors. Maybe sudo wants to know your super-user password to copy Sendooway into your GNU/Linux installation. Congratulations -- the most difficult step was just made.
Please do not distribute binary releases as long as Sendooway is pre-alpha.

Step 2: Configure Sendooway globally

Sendooway reads /etc/sendooway.conf to get global information about your system. This file was created in the last step and contains documented example values. For this howto you should replace those values with the following lines:
mailerEncryption = forbidden
smarthostMapping = direct:* localhost smtp - - noAuth
The first line disables secure server connections between your mail client and Sendooway; however, it's recommended to use SSL because Sendooway only accepts AUTH PLAIN and AUTH LOGIN which both contain unencrypted passwords. The second line directs all connections to your existent smtp server listening on port 25 (smtp) and which is unable to handle authentication by itself.

Step 3: Reconfigure iptables

The existent smtp server must not be reachable by clients directly. The command below will instruct your server to redirect all incoming smtp connections to Sendooway. It's important to specify your servers IP address here (run this command several times if you use more than one address/interface). The existent mail server is still reachable by connecting to 127.0.0.1:25 which Sendooway will do. We assume your current mail server only listens on tcp port 25.
alice@localhost:~$ \
  sudo iptables -t nat -I PREROUTING -p tcp --dst <YOUR SERVER'S IP ADDRESS> \
                --dport smtp -j REDIRECT --to-port 587
Another solution is to reconfigure your existent smtp server to bind the loopback interface only. Since there is no general way to do this, this howto puts up with the command above.

Step 4: Start Sendooway

Sendooway can use a super-server daemon like xinetd or inetd. If you do not use any of these, you might want to use Sendooway's build-in server:
alice@localhost:~$ \
  sudo /usr/bin/sendooway -b submission
If you use inetd, add the following line to your /etc/inetd.conf:
submission stream tcp nowait root /usr/sbin/tcpd /usr/bin/sendooway
The preferred way is to use xinetd. Thereto, create a new text file inside an editor, name it /etc/xinetd.d/sendooway and copy'n'paste the following content:
service submission
{
    socket_type    = stream
    protocol       = tcp
    wait           = no
    user           = root
    server         = /usr/bin/sendooway
}
Sendooway will be available after your super-server daemon gets reloaded. The following command should do (replace xinetd by inetd if needed):
alice@localhost:~$ \
  sudo pkill -SIGHUP xinetd

Step 5: Configure your mail client

In the last step you will have to reconfigure your mail clients. In a perfect world, you will be asked to enter your password the next time you send an email. Some clients will simply fail as long as they are not instructed to authenticate. Just give it a try, but be prepared to configure SMTP authentication manually.

We really hope, you like Sendooway and use it to improve your every-day mail experience. This howto is a very quick one and there are much more things Sendooway can do. There are two man pages (sendooway(1) and sendooway.conf(5)) and a very long to-do list of features we want to implement in later versions.

Please let us know if you think Sendooway is useful (this motivates) or if you think Sendooway is a waste of time (this demotivates).


Valid HTML 5 CSS is valid!