-=:SMTP over SSH.:=- | ||||
  |
I am (as many others out there) a bit paranoid about having multiple ports opened on my computer, because then level of vulnerability of your system increases with each opened port - none software is perfect and 100% secure. So I prefer to rely on a single software I consider secure enough - in my case it is openSSH with protocol 2 and using RSA keys. So I wanted to use ssh as an authenticator and as a transport for my smtp traffic from the laptop through the mail server I'm running on onerussian.com. I asked uncle Google about that and he sent me to Section 2: SSH-tunnelling by Johannes Franken which looks almost like what I need. The only problem for me was that that solution requires (as I understand) either of the next two ways. Either you setup your .bashrc (or any other script) to use ssh-agent which is already running on the system and which has your private keys in it, or you need a private key with no passphrase which is insecure. So I've decided to adjust configuration to make exim attach to running ssh-agent and then connect to my smarthost. Here is the configuration for exim I've got. # Adopted by yoh@onerussian.com from # http://www.jfranken.de/homepages/johannes/vortraege/ssh2.en.html # at bottom of TRANSPORT CONFIGURATION : ########################### # Transport, which tunnels mails over ssh to my smarthost ssh: driver = pipe # talk regular smtp to the pipe (qmail approved :-) ) bsmtp = all bsmtp_helo = true use_crlf = true prefix = "" suffix = "" # connect to my mail server's smtp port. # must authenticate without password command = /bin/sh -c 'SSH_AGENT_PID=`/bin/ps h -C ssh-agent -o pid|head -1` SSH_AUTH_SOCK=`/bin/ls /tmp/ssh*/agent*|head -1` ssh onerussian.com netcat -w 1 localhost smtp' user = yarik # ssh failure handling: kill hanging sessions, # retry and tell me on failures timeout = 300s temp_errors = 1 return_fail_output = true end # at top of ROUTERS CONFIGURATION: ########################### # Send all mail to a smarthost smarthost: driver = domainlist transport = remote_smtp route_list = "* onerussian.com bydns_a" end If you have any comments - I would really appreciate them |
|||
|