Why Kolab Groupware uses Submission
Kolab Groupware has a strong focus on security, and data integrity - not just your own mailbox but the flow of traffic between you and your peers as well.
Please allow me to take the opportunity to explain to you some of the background of what Kolab Groupware does, and why. In this blog post, I'm zooming in on our use of the submission port (587).
There's a standard 3 ports associated with receiving email messages:
- Port 25/tcp, or SMTP, which a mail exchanger uses to receive email from the Internet, and from other systems in your network that need to use this mail exchanger as their smarthost (conditions apply). Most commonly, port 25 accepts messages from the Internet for local recipients, or mail traffic from trusted systems inside your network, that are destined for the outside world.
Typically, no authentication is required, and the envelope sender of a message is not guaranteed to actually be the real human being that would receive your reply should you reply to the envelope sender address. - Port 465/tcp, or SMTP with implicit SSL a.k.a. SMTPS a.k.a. SSMTP, which a mail exchanger rarely uses to receive messages from the internet, and only sometimes uses to receive messages from other systems on your network.
Usually, the internal network is considered as trusted (to some extent). You would want to use SMTPS in networks where the network is not trusted, perhaps including requiring authentication using client-side SSL certificates. At the very least, the implicit SSL nature of SMTPS ensures the communication stream is encrypted. - Port 587/tcp, or Submission, which is intended for use by actual human beings. This is the service Kolab Groupware chooses to make use of.
You would not want to use ports 25 nor 465 for submission of data from your groupware users, because both usually include bluntly allowing what is called $mynetworks - the list of IP Address (Spaces) that are trusted networks.
To illustrate, consider the following; You have a LAMP stack that sends out notifications to subscribers via the SMTP port number 25 on localhost. The envelope sender could be something like apache@example.org or noreply@example.org. You would typically have configured (it may actually be the default configuration) "mynetworks = 127.0.0.0/8". The setting "smtpd_sender_restrictions" or "smtpd_recipient_restrictions" typically includes "permit_mynetworks".
Now you install an awesome webmail program called Roundcube, and you configure it to use localhost:25 as its SMTP server. Anyone able to log in to Roundcube is now able to configure an identity with any envelope sender address making messages sent out using that identity appears as if they were coming from that actual envelope sender.
So, joesmo@example.org could now send messages pretending to be the CEO of Example.org, Inc., simply by adding an identity of "The Bossman ", and would go completely unchecked while doing so.
What you can't do is restrict $mynetworks further than 127.0.0.0/8 - your LAMP stack would fail attempting to send messages to your subscribers.
You will want to use a service that does not trust *anyone*, *requires* authentication and *enforces* the user sending the message is authorized to send messages using the envelope sender address of the very message.
I say "authorized to send messages (...)", because one feature that you may need is delegation; the secretary sending a message or two on behalf of the bossman is not a very uncommon scenario.
This is where Kolab Groupware kicks in. We implement pieces of software you are probably already intimately familiar with, and then take it up a notch.
It will not accept messages appearing to originate from an envelope sender address that is within a local domain name space from anyone or anything, unless the actual sender is verifiably authorized to send using the envelope sender address the message will appear to have come from, or unless the sender system is explicitly trusted.
By means of a demo, at Kolab Systems itself, not only do we run a couple of Kolab Groupware deployments, but we also service some mailing lists for third party Free Software projects - hence I can only verify the actual envelope sender address, and not the domain name space:
$ (
> sleep 1
> echo "HELO $(hostname -f)"
> echo "MAIL FROM: vanmeeuwen@kolabsys.com"
> echo "RCPT TO: vanmeeuwen@kolabsys.com"
> echo "DATA"
> sleep 1
> echo "Subject: Nice blog post, thanks"
> echo "Hey there,"
> echo ""
> echo "I think your blog post is awesome."
> echo "."
> sleep 1
> echo "QUIT"
> ) | telnet ext-mx01.kolabsys.com 25
Then do the same against your own SMTP server, with a set of address of your own.
- Login or register to post comments
- 3704 reads
- jmeeuwen's blog
- Feed: Jeroen van Meeuwen Kolab Blog
- Original article
Comments
Straighteners have fallen
Straighteners have fallen quite a distance as the first, large Helen of Troy hit the market http://www.clshoessale-us.org. CHI straightener is the best hair straightner That i've ever used and it's the very best selling styling iron. I have got tested many straighteners inside my life, even tried an authentic iron replica christian louboutin?you're certain for clothes (not smart). Image with all the CHI hair straightener for a good si years now, and each time I use it' am amazed at how great it truely does work. Flat ironing can be be extremely damaging for your hair all night a ceramic iron might help limit damages CHI Straightener. You do not want an iron that gets involved on any portion of your own hair. The delayed drag can cause the iron being wear any division of hair on an etra second which enable it to completely fry the hair. Ceramic irons may also help glide easier and that means you spend the same timeframe on each strand of hair, minimizing destruction replica christian shoes louboutin. Fresh fruits, working with a flatiron is rather damaging and you need to only take some sort of heat protection product, always. Another tip to damage is to utilize your straightener within the lowest heat setting that could be still effective within your hair CHI Flat Iron. So rather than toting very high heat setting, make an attempt to favorite tv show . on 100 degrees cooler, I bet still works! CHI hair straightener is ceramic and it has ion technology to increase good shine levels. It warms up to 400 degrees inside of a mere A minute christian louboutin sneakers for men. This straightener glides smoothly through your hair and straightens quicker than another iron I've truly tried. Additionally, it is etremely durable, I've had this iron approximately si years in fact it is working like new CHI Hair Straightener. CHI styler in flatironsalliance enjoy a fabulous refund policy and warranty policy on the styling tools. The main hair straightener I have purchased stopped working online day a result of a short on the wire. I mailed the explanation towards service and received a new iron absolutely free so i have used the free one since. Besides, the cost could be very attractive replica christian louboutin sneakers. It totally worth it. These Farouk CHI Hair straightener products and CHI Hair Dryers are invariably bound to be salon authentic and new. CHI began a ceramic hair straightening iron craze using the hot CHI flat iron, the very best selling hair straightener for stylists and beauticians chi straightener canada. The very first CHI hair straightener, as well as pink chi hair straightner, can be bought in different plate designs and sizes and also in many stylish dazzle finishes & styles. A CHI Iron for which you select here could possibly have salon technologies for example nano silver and tourmaline to appeal to delicate hair tetures. Misikko's selection of CHI straighteners is etensive and also an authenticity guarantee http://www.chi-hairstores.ca. The CHI hair straightening iron, CHI roller, and CHI hair dryer pioneered the usage of ceramic for gentle hair styling. Related Articles CHI flat irons, the Best Selling Iron, the most beneficial flat irons, this content to some Friend CHI Hair!Receive Articles just like it direct for your bo mens christian louboutin shoes!Subscribe at no cost today!
Salary day funds
A personal loan cash advance offered by a dependable pay day loan or funds progress organization will not take advantage of individuals. It happens to be meant to generally be put to use only for a short expression crisis condition by utilized persons who have to have a tiny bit of assist among paydays for emergencies. That is an incredibly typical event when most people are living spend check out to pay for take a look at and will not be fiscally ready for emergency repairs, travel or health care fees. Actually, easy payday loans fill a critical part during the economic community.
Steer clear of automatic rollovers when considering loans. Some cash loan lenders have systems put together that increase the time period of your respective bank fast cash in exchange for charges deducted from the checking bank acc. The majority of these really do not have to have any action from you aside from placing it up. Perhaps you may never ever have the opportunity to entirely pay out the cashadvance cash advance off and finish up gaining casino spiele accompanied by a really good reputation.
Look for businesses that have been have already been in enterprise for really an extended time. This would can help you identify out which of them presents the most beneficial support to their purchasers. You may also test evaluations so you can get significantly more information and facts that could assist you figure out.