Restricting email submission to localhost and disabling SMTP authentication

Thinking about securing my email/shell/web server better, one idea that has been proposed was to employ some alternative - and stronger - PAM module, such as one time passwords. This may yet be a topic for a future post.

But for now, there was one clear obstacle for moving in that direction. Exim, the SMTP daemon, depended on password authentication to allow known users to send mail via non-local connections to other domains. In the SMTP jargon this is known as relaying and if you allow non-authenticated users to do it, you instantly turn into a spam machine and you're blocked by everyone for a long time. So I needed another way for exim to distinguish authenticated connections.

Fortunately I am in the position that anyone who can use the server for email also has shell access. So the simple solution is: disable relaying via non-local connections completely; to send mail through the server, users need to configure their email client either to call the submission program on the server through ssh or to send through a localhost tunnel which connects to port 587 on the server side.

Configuration details

This has in fact led to a considerable simplification of the exim configuration:

git diff --stat 0aa952f..c9955e1
exim/exim.conf       | 35 ++++++++---------------------------
exim/tls-server.conf | 44 --------------------------------------------
2 files changed, 8 insertions(+), 71 deletions(-)

Locally, the changes were minimal: I added yet another port forwarding to the background ssh process which I already had running, and I told msmtp to use it as the "remote" side:

diff --git a/msmtprc b/msmtprc
index b33a374..db5e4f1 100644
--- a/msmtprc
+++ b/msmtprc
@@ -1,12 +1,9 @@

-port 587
+host localhost
+port 15587
-user itz
-passwordeval "cat /etc/msmtpauth"
-auth plain
-tls on
+tls off
 auto_from off
 syslog on

diff --git a/supervisord.d/tortunnel.conf b/supervisord.d/tortunnel.conf
index ee8fac2..8943880 100644
--- a/supervisord.d/tortunnel.conf
+++ b/supervisord.d/tortunnel.conf
@@ -1,5 +1,5 @@
-command=/usr/bin/ssh -p 2259 -N -T -o BatchMode=yes -D -L 19050:
+command=/usr/bin/ssh -p 2259 -N -T -o BatchMode=yes -D -L 19050: -L 15587: