	=======================================================================
	smtpauth 0.93 - Authenticating proxy for servers without SMTP AUTH
	Copyright (C) 2004, Jem E. Berkes <jberkes@pc-tools.net>
	=======================================================================
	Using 'smtpauth' and 'stunnel' programs to add SMTP AUTH (PLAIN, LOGIN)
	support to any SMTP server. Clients can authenticate over SSL port 465
	or cleartext port 587, and authentication is fully logged via syslog.

	Works with JBMail, Pegasus Mail, Mozilla Thunderbird, MS Outlook...

	This software is really an interim solution until our favourite MTA(s)
	support SSL/TLS and SMTP AUTH directly. For now I prefer using external
	programs to provide this functionality rather than patching MTA source.

============================

1. Compile and install binary.

make
Copy 'smtpauth' to /usr/sbin, owned by root, mode 755

============================

2. Create special user 'smtpauth' with its own group, no login allowed.

Note that smtpauth will immediately exit with an error if invoked as root.
It must be run from a low privilege account, for security.

============================

3. Configure stunnel.conf

setuid = smtpauth
setgid = smtpauth
debug = auth.notice
client = no

[smtps]
accept = 465
exec = /usr/sbin/smtpauth
execargs = smtpauth domain 127.0.0.1

============================

4. Configure /etc/smtpauth.conf

This file should only be readable by the smtpauth user, since it stores plain
passwords. It consists of single lines containing usernames and passwords with
whitespace separating. Blank lines and comment lines starting # are ignored.

user1	pass1
user2	pass2

============================

5. Start up stunnel

This will create a server running as smtpauth on port smtps/465. When SMTP clients
connect (SSL/TLS) the smtpauth program is launched and provides authentication
service through to 127.0.0.1:25, as a proxy. Your actual SMTP server will accept
mail because that connection is local. The mail headers will include X-SMTP-AUTH
indicating the username. Success and failures will be logged via syslog.

============================

6. Optional - cleartext submission service

Since inetd (when started with -W) also supports wrapping, the smtpauth proxy
can be run straight out of here too. Note that this is somewhat risky, because
there will be no SSL/TLS encryption on the submission port (587).

submission stream tcp nowait  smtpauth /usr/sbin/smtpauth smtpauth domain 127.0.0.1

============================

