PDA

View Full Version : NetBurner PINK module and SMTP...



Mike Porter
01-27-2006, 04:29 AM
My SMTP server (outgoin email server) requires me to logon with a username and password. I can't find anything in the NetBurner PINK documentation about setting/sending a username and password while sending·SMTP email from the PINK module... I have a bad feeling it doesn't support this. Can anyone confirm or deny that? The documenataion seems a little "thin", and the NetBurner website was silent about this particular module.

Does anyone know of an ethernet interface board for the stamp that DOES allow Authenticated SMTP access? I've looked at SitePlayer, but that's more of a webserver than an SMTP interface. The "goal" is to be able to generate SMTP mail from the stamp when certain trigger consitions are met.

John R.
01-27-2006, 08:12 AM
You are correct, PINKy does not currently support SMTP that requires authentication.

See the thread at http://forums.parallax.com/showthread.php?p=564888 and/or go to search.parallax.com (http://search.parallax.com) and search on PINK for a number of other discussion on the PINKy.

BeginLobbyingEffort:

There was discussion about possibly changing this in a future version of the firmware, but that was some time ago. My best guess is that the PINK back in stock and being shipped, once more feedback has come in, maybe a firmware upgrade will follow.

EndLobbyingEffort:

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
John R.

8 + 8 = 10

Mike Porter
01-27-2006, 11:48 AM
I'm so sorry... I searched on PINK and SMTP. Unfortunately, the previous post mis-spelled SMPT as SMPT, and my search didn't find it!·I did actually try and search before I asked the question.

I would love to see this feature. In my case, I can't switch servers without getting RELAYing errors. In almost all cases, it's a requirement to configure an SMTP server to allow an email message either (1) that's authenticated (requiring a logon) or (2) in an ISP case, they only allow SMTP access if you signed on through their ISP services. It's considered a security risk for an SMTP server to be mis-used as a SPAM sender if they don't. "Switch SMTP Providers" isn't a realistic choice if you understand the reuiements on a modern ISP shop these days. In fact, there's even a web site for any SMTP provider that DOES allow it: it's "bad" and they list anyone who permits this: http://www.ordb.org/·or http://docs.cs.byu.edu/docs/spamstop/3.php. Technically, the suggestion is a valid workaround. It's also about as "not acceptable" as it gets on the internet.

Ryan Clarke
01-27-2006, 02:52 PM
From Wikipedia:

SMTP Security and Spamming

One of the limitations of the original SMTP is that it has no facility for authentication of senders. Therefore the SMTP-AUTH extension was defined.

In spite of this, E-mail spamming is still a major problem. Modifying SMTP extensively, or replacing it completely, is not believed to be practical, due to the network effects of the huge installed base of SMTP. Internet Mail 2000 is one such proposal for replacement.

For this reason, there are a number of proposals for sideband protocols that will assist SMTP operation. The Anti-Spam Research Group of the IRTF is working on a number of Email authentication and other proposals for providing simple source authentication that is flexible, lightweight, and scalable.

SMTP-AUTH extends SMTP (the Internet e-mail transmission protocol) to include an authentication step through which the client effectively logs in to the mail server during the process of sending mail. Servers which support SMTP-AUTH can usually be configured to require clients to use this extension, ensuring the true identity of the sender is known.

SMTP-AUTH provides an access control mechanism. It can be used to allow legitimate users to relay mail while denying relay service to unauthorized users, such as spammers. It does not guarantee the authenticity of either the SMTP envelope sender or the RFC 2822 "From:" header. For example, spoofing, in which one sender masquerades as someone else, is possible even with SMTP-AUTH.

The SMTP-AUTH extension also allows one mail server to indicate to another that the sender has been authenticated when relaying mail. In general this requires the recipient server to trust the sending server, meaning this aspect of SMTP-AUTH is rarely used in the Internet. The recipient of an e-mail message cannot tell whether the sender was authenticated, so use of SMTP-AUTH is only a very partial solution to the problem of spam.

While SMTP-AUTH is generally a security improvement over unauthenticated SMTP, it can also introduce a weakness. If authenticated users are allowed to submit messages from IP addresses where unauthenticated users are not — that is, if authenticated users are allowed to relay mail — then an attacker who subverts one user's account is then able to use the authenticated server as an open mail relay. Thus, in such a configuration, every user's password becomes a key to the mail system's security. Spammers have attacked SMTP-AUTH mail servers by wardialing common usernames and passwords.

__________________________________________________ ______________________________________________

Again:
There is no clear method or standard for SMTP authentication. The protocol does not facilitate authentication. Due to this, a number of different methods of 'faking' authentication (none of which are secure) have been put into place. Some ISPs require a login to a POP account within 5 min. prior to sending mail. Others use a plain text login. Some only allow sending from specific IP address. But there is no 'clear standard'- due to this no method was chosen for implementation in the first revision of the PINK firmware.

There is a difference between 'completely open' and open as bound to an IP address, a MAC address, etc.

Ryan

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Ryan Clarke
Parallax Tech Support

RClarke@Parallax.com (mailto:RClarke@Parallax.com)

John R.
01-27-2006, 08:59 PM
Ryan;

Setting all that aside, many (most???) ISPs require some type of authentication. All mail clients that I am aware of support a place for login information if required by the SMTP server.

While I understand there may be a number of ways this is handled, without provisions, the functionality of PINKy is limited.

For many users, getting an ISP to accept open connections from a specific IP address will be hard, if not impossible (I suspect
SBC/Yahoo would politely decline). This will also be more expensive (significantly) for users that currently have "dynamic" IP addresses.

The work-around is to set you your own SMTP server, but this requires a registered domain, etc., and is non trivial (not impossible or terribly difficult, but non trivial).

Mike:

My reference to the search in PINK was more at other threads discussing some of the issues in more detail, and not meant as a criticism.

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
John R.

8 + 8 = 10

Mike Porter
01-28-2006, 01:45 AM
Thanks Ryan! You should have a conversation with the good people at MAPS (http://www.mail-abuse.com/) They are one of the "policing officials" for SMTP on the internet. They might help you on your understanding here a bit. In fact, in their Library, you should scan their "How to secure your mail system against third-party relay" PDF. If you get blacklisted, you must re-configure your email sender to their specification, in this document. Of the 60+ SMTP server products they show configurations for, about 20% require disbaling RELAYing alltogether, About 40% enable IP restrictions from the same subnet and/or 40-80% REQUIRE SMTP Authentication to be enabled (not everyone can depend on IP restrictions, depending on their specific subnetting. If you don't do this, you will not be "un"-blacklisted. There are only two realistic choices in today's internet environment: restrict SMTP access via IP/MAC mechanisms or (2) use password authentication. I can understand the need to limit complexity on the first release. It's not a very useful product, but it does provide a great demo for what might be possible. The current implementation pretty much guaruntees that very few ISPs could/would let you use the PINKy module. MAPS would blacklist them in short order. NetBurner's libraries do include SMTP Authentication... it's just a matter of adding that to Pinky. Are there any plans to do that? I don't mind just rolling my own with NetBurner... but PINKy is so darned close to what I want, I just didn't want to do that if I didn't have to.

John: No worries... i just felt bad. I always search before I ask a question I'm sure has already been asked. The product isn't really usable for this feature as is... I was SURE that someone else had asked. I actually do have my own SMTP server here. And it was blacklisted for not havng Password Authentication turned on. Apparently there are hacker programs that search the web 24x7 and look for email servers like mine was configured. The only way to get "un-blakcisted" by MAPS was... you guessed it: turn ON Authentication <g>. All ISPs are strongly being encouraged to turn this on (over 80% of US ISPs have this enabled today). So, even setting up your own SMTP server alone isn't a solution for anything more than a demo. It would be easier just to find or build a solution very similar to PINKy. I'm going to keep looking at other ideas too. All I need to do is send an email message. I don't HAVE to use SMTP. I might even be able to come up with cheesy "FTP the file to a directory and run a cron script every 30 seconds to email a the file" kind of thing. There's always a way <g>!... I just wished there were an "elegant" way this time. PINKY was close, but no dice... at least for today.

Ryan Clarke
01-28-2006, 04:08 AM
That is not entirely true. Setting up your own SMTP is possible, with auths tied directly to MACs/IPs.
Have a little patience, we're working on it. We are also working on the possiblity of SSH, so then a majority of these threads will be a non-issue anyway. I don't think I should waste the time of the good folks at MAPS, as this isn't a matter of understanding, but circumstance (but thanks for the suggestion).

Ryan

▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔▔
Ryan Clarke
Parallax Tech Support

RClarke@Parallax.com (mailto:RClarke@Parallax.com)

Mike Porter
01-28-2006, 04:29 AM
THANKS! At the speed I'm running these days, you may well have a shipping sloution before I can do anything anyway. :-) I can't start this until April 1 at least, likely may. But I'm so glad to hear you are working on it... htat's the part I wasn't sure about!·I think it's a very powerful little module. Maybe if this really takes off a wireless version might even be possible, but it might be cost prohibitive.

Once again, Thanks everyone! This forum has always been a source of help and inspiration!