[gentoo-user] ssmtp alternatives: msmtp vs. dma

[gentoo-user] ssmtp alternatives: msmtp vs. dma

[Grant]

[-- Attachment #1: Type: text/plain, Size: 747 bytes --]

I was setting up ssmtp but I realized it isn't being maintained and there
are a couple of alternatives called msmtp and dma.  Can anyone recommend
one of these over the other?

I don't like how ssmtp stores the mail password in clear text in its config
file.  It looks like msmtp can pull the password from gpg:

msmtp --passwordeval 'gpg -d mypwfile.gpg'

I don't have much experience with gpg.  Does this mean I can store the mail
password encrypted on each of my systems so it can be used in an automated
fashion to get mail onto my mail server?  Do I need to start gpg-agent and
enter a gpg keyring password whenever I reboot each of the systems?

Is this the best way to get email alerts from my various systems to my
email address?

- Grant

[-- Attachment #2: Type: text/html, Size: 878 bytes --]

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Michael Orlitzky]

On 12/05/2012 12:28 AM, Grant wrote:
> I was setting up ssmtp but I realized it isn't being maintained and
> there are a couple of alternatives called msmtp and dma.  Can anyone
> recommend one of these over the other?
> 
> I don't like how ssmtp stores the mail password in clear text in its
> config file.  It looks like msmtp can pull the password from gpg:
> 
> msmtp --passwordeval 'gpg -d mypwfile.gpg'
> 
> I don't have much experience with gpg.  Does this mean I can store the
> mail password encrypted on each of my systems so it can be used in an
> automated fashion to get mail onto my mail server?  Do I need to start
> gpg-agent and enter a gpg keyring password whenever I reboot each of the
> systems?
> 
> Is this the best way to get email alerts from my various systems to my
> email address?
> 

I switched to msmtp when nbsmtp was treecleaned. The switch was
uneventful; it just works, which is high praise.

You can't encrypt your password unless you're going to be physically
present to decrypt it (with some other password). If your machine is
physically secure, you can just make the msmtp config file read-only to
yourself. If someone can log in as you, they can get your password
anyway. There's only a risk if e.g. you're not root, or someone else can
get root (access to grub) or walk off with the hard drive.

If you're worried about either of those scenarios, set up a separate
account for your email alerts.

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Grant]

[-- Attachment #1: Type: text/plain, Size: 1714 bytes --]

> > I was setting up ssmtp but I realized it isn't being maintained and
> > there are a couple of alternatives called msmtp and dma.  Can anyone
> > recommend one of these over the other?
> >
> > I don't like how ssmtp stores the mail password in clear text in its
> > config file.  It looks like msmtp can pull the password from gpg:
> >
> > msmtp --passwordeval 'gpg -d mypwfile.gpg'
> >
> > I don't have much experience with gpg.  Does this mean I can store the
> > mail password encrypted on each of my systems so it can be used in an
> > automated fashion to get mail onto my mail server?  Do I need to start
> > gpg-agent and enter a gpg keyring password whenever I reboot each of the
> > systems?
> >
> > Is this the best way to get email alerts from my various systems to my
> > email address?
> >
>
> I switched to msmtp when nbsmtp was treecleaned. The switch was
> uneventful; it just works, which is high praise.
>
> You can't encrypt your password unless you're going to be physically
> present to decrypt it (with some other password). If your machine is
> physically secure, you can just make the msmtp config file read-only to
> yourself. If someone can log in as you, they can get your password
> anyway. There's only a risk if e.g. you're not root, or someone else can
> get root (access to grub) or walk off with the hard drive.
>
> If you're worried about either of those scenarios, set up a separate
> account for your email alerts.

I like the separate account idea.  Any tips on locking it down?  Maybe that
account on the mail server should somehow only be allowed to deliver to a
single email address (mine)?  Would it need a shell account?  Certainly not
allowed in sshd_config.

- Grant

[-- Attachment #2: Type: text/html, Size: 2049 bytes --]

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Eray Aslan]

On 12/5/12 7:28 AM, Grant wrote:
> I was setting up ssmtp but I realized it isn't being maintained and
> there are a couple of alternatives called msmtp and dma.  Can anyone
> recommend one of these over the other?

msmtp and nullmailer are good choices as light weight MTAs.  I hope to
change the default mta from ssmtp to one of them in semi-near future
(probably nullmailer now that it has TLS/SSL support).

-- 
Eray Aslan <eras@gentoo.org>

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Michael Orlitzky]

On 12/05/2012 01:43 AM, Grant wrote:
>>
>> I switched to msmtp when nbsmtp was treecleaned. The switch was
>> uneventful; it just works, which is high praise.
>>
>> You can't encrypt your password unless you're going to be physically
>> present to decrypt it (with some other password). If your machine is
>> physically secure, you can just make the msmtp config file read-only to
>> yourself. If someone can log in as you, they can get your password
>> anyway. There's only a risk if e.g. you're not root, or someone else can
>> get root (access to grub) or walk off with the hard drive.
>>
>> If you're worried about either of those scenarios, set up a separate
>> account for your email alerts.
> 
> I like the separate account idea.  Any tips on locking it down?  Maybe
> that account on the mail server should somehow only be allowed to
> deliver to a single email address (mine)?  Would it need a shell
> account?  Certainly not allowed in sshd_config.
> 

It depends on how you're authenticating. We've got our users in
Postgres, and postfix uses Dovevot's SASL backend to auth. That way a
"user" is just an email address/password combination and can't do
anything except send/receive mail.

The general defense against hacked user accounts is to do rate-limiting
on the MTA with something like postfwd, and at least notify postmaster
if someone begins sending hundreds of messages. That way if a user gets
hacked, you find out about it and can disable them.

In this case I wouldn't even worry about it. If someone can log on to
your server and read the msmtp config, you've already got a big problem.
The real benefit to using a separate account is that if that does
happen, they can't see Grant's personal email password (which is
essentially the keys to the kingdom).

Another thing you might consider is getting added to the feedback loops
of some major providers. When one of our users gets hacked, I find out
quickly because AOL sends me a copy of every message that they get from
us which is marked as junk. This is a Good Idea anyway, and mitigates
the stolen-password problem in that unlikely event.

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Randy Barlow]

Grant wrote:
> msmtp --passwordeval 'gpg -d mypwfile.gpg'

Be careful with passing your password as a command line argument, 
because it will put your password into the output of ps. This would 
allow any user on the system to read your password.

-- 
R

Re: [gentoo-user] ssmtp alternatives: msmtp vs. dma

[Grant]

[-- Attachment #1: Type: text/plain, Size: 2338 bytes --]

> >> If you're worried about either of those scenarios, set up a separate
> >> account for your email alerts.
> >
> > I like the separate account idea.  Any tips on locking it down?  Maybe
> > that account on the mail server should somehow only be allowed to
> > deliver to a single email address (mine)?  Would it need a shell
> > account?  Certainly not allowed in sshd_config.
> >
>
> It depends on how you're authenticating. We've got our users in
> Postgres, and postfix uses Dovevot's SASL backend to auth. That way a
> "user" is just an email address/password combination and can't do
> anything except send/receive mail.
>
> The general defense against hacked user accounts is to do rate-limiting
> on the MTA with something like postfwd, and at least notify postmaster
> if someone begins sending hundreds of messages. That way if a user gets
> hacked, you find out about it and can disable them.
>
> In this case I wouldn't even worry about it. If someone can log on to
> your server and read the msmtp config, you've already got a big problem.
> The real benefit to using a separate account is that if that does
> happen, they can't see Grant's personal email password (which is
> essentially the keys to the kingdom).

I was planning on having the alerts sent from each system via my privileged
account on the mail server which means storing that password in the msmtp
config file on each system.  If I instead set up a separate account for
alerts and lock that account down so it can only send email to my own
address, I can flaunt that password around all I want because it can only
be used to send email to me, correct?

By the way, is it considered safe to use my own privileged account on the
mail server to send mail from a good local mail client if I use SSL/TLS in
transmission?

> Another thing you might consider is getting added to the feedback loops
> of some major providers. When one of our users gets hacked, I find out
> quickly because AOL sends me a copy of every message that they get from
> us which is marked as junk. This is a Good Idea anyway, and mitigates
> the stolen-password problem in that unlikely event.

That sounds like a really good idea.  Is there an industry-standard term I
could use in a search to figure out how to get the providers (Google,
Yahoo, AOL?) to set me up this way?

- Grant

[-- Attachment #2: Type: text/html, Size: 2642 bytes --]