smtpauth 0.94 review

by on

smtpauth is a authenticating proxy for servers without SMTP AUTH. Use 'smtpauth' and stunnel programs to add SMTP AUTH (PLAIN, LOGIN

License: GPL (GNU General Public License)
File size: 10K
Developer: Jem Berkes
0 stars award from

smtpauth is a authenticating proxy for servers without SMTP AUTH.

Use 'smtpauth' and stunnel programs to add SMTP AUTH (PLAIN, LOGIN) support to any SMTP server. Clients can authenticate over SSL port 465 or cleartext port 587, and authentication is fully logged via syslog.

Works with JBMail, Pegasus Mail, Mozilla Thunderbird, MS Outlook...

This software is really an interim solution until our favourite MTA(s) support SSL/TLS and SMTP AUTH directly. For now I prefer using external programs to provide this functionality rather than patching MTA source. I designed this software to work with my Postfix server, but smtpauth also works with sendmail and just about any other SMTP server.


1. Compile and install binary.

Copy 'smtpauth' to /usr/sbin, owned by root, mode 755

2. Create special user 'smtpauth' with its own group, no login allowed.

Note that smtpauth will immediately exit with an error if invoked as root.
It must be run from a low privilege account, for security.

3. [For SSL, port 465] Configure stunnel.conf. Change 'domain' for your site.

setuid = smtpauth
setgid = smtpauth
debug = auth.notice
client = no

accept = 465
exec = /usr/sbin/smtpauth
execargs = smtpauth domain

4. Configure /etc/smtpauth.conf

This file should only be readable by the smtpauth user, since it stores plain
passwords. It consists of single lines containing usernames and passwords with
whitespace separating. Blank lines and comment lines starting # are ignored.

user1 pass1
user2 pass2

5. [For SSL, port 465] Start up stunnel

This will create a server running as smtpauth on port smtps/465. When SMTP clients
connect (SSL/TLS) the smtpauth program is launched and provides authentication
service through to, as a proxy. Your actual SMTP server will accept
mail because that connection is local. The mail headers will include X-SMTP-AUTH
indicating the username. Success and failures will be logged via syslog.

6. [For cleartext, port 587] Configure cleartext submission service in inetd

Since inetd (when started with -W) also supports wrapping, the smtpauth proxy
can be run straight out of here too. Note that this is somewhat risky, because
there will be no SSL/TLS encryption on the submission port (587).

Again, change 'domain' for your site (e.g. mail.yoursite.tld)

submission stream tcp nowait smtpauth /usr/sbin/smtpauth smtpauth domain

smtpauth 0.94 keywords