how to use smtp starttls() encryption?

Gerhard =?unknown-8bit?Q?H=E4ring?= gerhard.haering at gmx.de
Wed Nov 6 04:19:39 EST 2002 

* Xu, C.S. <xucs007 at yahoo.com> [2002-11-05 16:23 -0800]:
> Gerhard,
> 
> > 'Sending out' is configured differently than receiving mail. Note that
> > in my example, I sent mail to your domain, using your smtp server,
> > which is thus already the 'final destination'.
> > 
> > No relaying involved here. The main point of SMTP auth is to prevent
> > unauthorized relaying, and therefore you require it only for mail to
> > domains other than yours.
> > 
> 
> I did notice that, so I tried
> 	s.sendmail('testpythonsmtp at offleasecomputer.net',
> 'somebody at hotmail.com', 'test') 
> It also works. This did include relaying, right?

Yes.

> My question is, what if other people run the same script on their computer,
> the people don't know the password to my email account. Can they still send
> out emails? Looks possible, because the script didn't send out password at
> all.

Depends on your mail server configuration. See below for mine.

> Then what's the point to use TLS to prevent spamming?

That's probably not the main point. You could read the RFC for a rationale,
I suppose. Though you could get authorization in using starttls if you used
client certificates, that's probably not the most common scenario. I
believe people use SMTP AUTH (provided via login in smtplib) to get, well,
uhm, authorized SMTP ;-)

> Another questions is, will starttls() tackle with those servers with SSL
> encryptions?

With whatever OpenSSL supports (SSLv2, SSLv3, TLS).

> To my knowledge, TLS is the next generation of SSL.

Yeah, the STARTTLS extension was called ...TLS to reflect that already.

> Even the recentest doc on python.org doesn't have any explanation on
> starttls() yet, :-(

You must have used the time machine the wrong way:
http://www.python.org/doc/current/lib/SMTP-objects.html

My Postfix configuration (with default comments). Especially the comments
show how to properly configure an SMTP server to prevent spamming:

    [...]
    # TRUST AND RELAY CONTROL

    # The mynetworks parameter specifies the list of "trusted" SMTP
    # clients that have more privileges than "strangers".
    #
    # In particular, "trusted" SMTP clients are allowed to relay mail
    # through Postfix.  See the smtpd_recipient_restrictions parameter
    # in file sample-smtpd.cf.
    #
    # You can specify the list of "trusted" network addresses by hand
    # or you can let Postfix do it for you (which is the default).
    #
    # By default (mynetworks_style = subnet), Postfix "trusts" SMTP
    # clients in the same IP subnetworks as the local machine.
    # On Linux, this does works correctly only with interfaces specified
    # with the "ifconfig" command.
    # 
    # Specify "mynetworks_style = class" when Postfix should "trust" SMTP
    # clients in the same IP class A/B/C networks as the local machine.
    # Don't do this with a dialup site - it would cause Postfix to "trust"
    # your entire provider's network.  Instead, specify an explicit
    # mynetworks list by hand, as described below.
    #  
    # Specify "mynetworks_style = host" when Postfix should "trust"
    # only the local machine.
    # 
    # mynetworks_style = class
    # mynetworks_style = subnet
    # mynetworks_style = host

    # Alternatively, you can specify the mynetworks list by hand, in
    # which case Postfix ignores the mynetworks_style setting.
    #
    # Specify an explicit list of network/netmask patterns, where the
    # mask specifies the number of bits in the network part of a host
    # address.
    #
    # You can also specify the absolute pathname of a pattern file instead
    # of listing the patterns here. Specify type:table for table-based lookups
    # (the value on the table right-hand side is not used).
    #
    #mynetworks = 168.100.189.0/28, 127.0.0.0/8
    #mynetworks = $config_directory/mynetworks
    #mynetworks = hash:/etc/postfix/network_table
    mynetworks = 192.168.2.0/8, 127.0.0.0/8

    # The relay_domains parameter restricts what clients this mail system
    # will relay mail from, or what destinations this system will relay
    # mail to.  See the smtpd_recipient_restrictions restriction in the
    # file sample-smtpd.cf for detailed information.
    #
    # By default, Postfix relays mail
    # - from "trusted" clients whose IP address matches $mynetworks, 
    # - from "trusted" clients matching $relay_domains or subdomains thereof,
    # - from untrusted clients to destinations that match $relay_domains
    #   or subdomains thereof, except addresses with sender-specified routing.
    # The default relay_domains value is $mydestination.
    # 
    # In addition to the above, the Postfix SMTP server by default accepts mail
    # that Postfix is final destination for:
    # - destinations that match $inet_interfaces,
    # - destinations that match $mydestination
    # - destinations that match $virtual_maps.
    # These destinations do not need to be listed in $relay_domains.
    # 
    # Specify a list of hosts or domains, /file/name patterns or type:name
    # lookup tables, separated by commas and/or whitespace.  Continue
    # long lines by starting the next line with whitespace. A file name
    # is replaced by its contents; a type:name table is matched when a
    # (parent) domain appears as lookup key.
    #
    # NOTE: Postfix will not automatically forward mail for domains that
    # list this system as their primary or backup MX host. See the
    # permit_mx_backup restriction in the file sample-smtpd.cf.
    #
    relay_domains = $mydestination

So basically, I allow relaying only from clients in the local network and
from localhost (192.168.2.0/8 and 127.0.0.0/8) and I relay only for
$mydestination, which is my domain.

HTH & HAND,

-- Gerhard

More information about the Python-list mailing list