SMTP Authentication methods [SOLVED]

[arvobowen]

Currently as far as I can see OTRS supports PLAIN AUTH and does not support any of the more secure methods such as CRAM-MD5 or DIGEST-MD5.

Is there any type of module or package that would change this? Or am I wrong and OTRS does support it?

[crythias]

I hear that http://doc.otrs.org/2.4/en/html/c1572.h ... nding-smtp SMTPS is an option.

[arvobowen]

But that does not answer my question.

I have a bunch of files for Strawberry Perl, etc... that are for CRAM-MD5 and DIGEST-MD5...

Does otrs not support the 2?

[crythias]

My guess is your assumption is correct. Then again, SMTPS should generally prevent snooping. If you're on Linux, you could be using your sendmail configuration to handle higher security SMTP AUTH for you, and if you're using Exchange in Windows on your LAN, you could let your Exchange Server handle that aspect. If you're using hosted Exchange or GMail outside your environment, you probably would be using SMTPS (SMTP over SSL) which may or may not support MD5.

It doesn't appear that OTRS in particular handles any specific security methods of Authentication, but rather hands that information off to Net::SMTP::SSL for SMTPS (See /Kernel/System/Email/SMTPS.pm and http://search.cpan.org/~cwest/Net-SMTP- ... MTP/SSL.pm ) which is an SSL set of Net::SMTP->auth (SASL authentication). http://search.cpan.org/~gbarr/libnet-1.22/Net/SMTP.pm

Net::SMTP uses Authen::SASL http://search.cpan.org/~gbarr/Authen-SA ... n/SASL.pod

That's as far as I've gotten to determine that OTRS isn't involved with how securely mail is transmitted. OTRS is rather agnostic to the whole deal.

[arvobowen]

Humm... The reason I bring it up is because I set up my outgoing SMTP creds... I was using the following..

Windows 2003 - Apache 2 - FastCGI - (Mailserver - Kerio MailServer)

Config Options: Framework -> Core::Sendmail
SMTP
/usr/sbin/sendmail -i -f (i know it's not needed unless u use sendmail)
127.0.0.1
25
*support@mydomain.com*
*mypassword*
(NULL)
(NULL)
base64

With these settings it kept trying to authenticate with a user of 'support@mydomain.com@mycomputername.mydomain.local'

I had to disable both CRAM-MD5 and DIGEST-MD5 protocols on my Kerio Mailserver to make it work correctly. When I called Kerio for support they said it was due to OTRS (maybe perl?) not supporting the method... so it now uses PLAIN... seems very unsecured to me.

[crythias]

If you feel like it's insecure to relay through an SMTP server (and need authentication, no less) on the same box that you're running OTRS, I really don't know what to say about that.

[arvobowen]

LOL, thats a good point but you misunderstood what i was talking about. I have had to alter my security settings on my mail server to make OTRS work. This now means that my mail server will except NON secure PLAIN text from other users.

[crythias]

You're absolutely correct about that point. I still don't know if authentication should have been necessary (and I promise I'm not trying to enhance discord at this) for connection to the same box, yet other users would need to provide secure logins.

It appears that you can do this: http://manuals.kerio.com/connect/adming ... tpsrv.html

Allow relay only for
Use this option to activate user authentication by IP addresses or usernames and passwords (see below). Generally, authenticated senders can use email messages to any domain via this server, whereas unauthorized users can send messages only to local domains.

Users from IP address group
Use this option to define a group of IP addresses from which email can be sent to any domain. Use the IP address group menu to choose an item from the list of groups defined in Configuration → Definition → IP Address Groups. Use the Edit button to edit a selected group or to create a new one (see chapter 19.1 IP Address Groups).

[arvobowen]

I ended up just setting it to PLAIN authentication on my KERIO email server... Though unsecured in my mind I will revisit this issue later. I plain on looking into making sure the appropriate modules are in place on ActivePerl.