Date: Fri, 12 Jul 2002 23:47:25 -0400 From: Leo Bicknell <bicknell@ufp.org> To: freebsd-arch@freebsd.org Cc: louie@TransSys.COM, listsub@rambo.simx.org, tlambert2@mindspring.com, leifn@neland.dk Subject: Mail subsystem defaults, adding authentication. Message-ID: <20020713034725.GB47677@ussenterprise.ufp.org>
next in thread | raw e-mail | index | archive | help
[Those CC:ed, you send me mail in a freebsd-hackers discussion late
last year.]
[I am not on freebsd-arch, please keep me in CC's.]
Short form:
I believe it is important for FreeBSD's default install to either
make it easy, or default to a setup that allows SMTP AUTH against
the password file. To do this we need to include a SASL library.
As such, I would like a SASL library in the base distribution.
Long form:
FreeBSD already supports STMP over SSL in the default install
(if the user creates keys). There is a port for imap-ssl that
works quite well, plus there is no imap in the default install.
To provide secure, e-mail (sending and receiving) you need a
download protocol that is encrypted (imap-ssl), and a sending
protocol (SMTP AUTH) that prevents relaying. Since SMTP AUTH
does not require non-cleartext passwords, doing SMTP AUTH over
SSL is a good idea.
SMTP AUTH checks a userid and password. To my knowledge, sendmail
only supports using SASL to perform this function. We have SASL
libraries in a port. If they are installed, a few flags can be
changed so "make world" builds a sendmail that has SASL support.
If the SASL port were installed as part of the base system, these
flags could be the default.
Since all major e-mail clients support IMAP/SSL and SMTP AUTH
(usually over SSL, if IMAP/SSL is supported) this seems the right
combination for a fully secure, non-open relay configuration.
So, I would like comments on the following issues:
1) Is it desirable to provide a default install for which SMTP AUTH
against the password file works?
2) If yes to #1, is including the cyrus-sasl port in the base
distribution the best way to get a SASL library? [Included
in this is license issues, code quality issues, etc.] If it
is not the best, is there a better choice?
At the end of the day, I think we are close to the right thing,
which means imap-ssl is easy to install from a port (and easy to
keep separate from the base system). SMTP over SSL seems to already
be in the base system. The only thing preventing a user from
running a "secure" SMTP/IMAP server from a base install, is the
lack of SMTP AUTH. AFAIK, SASL is the only way to get that working,
and cyrus-sasl is the best (technically) library available.
At this time, I don't want to nit-pick on details, that can be done
off list. What I'm really after is if there is support for making
SMTP AUTH work in the base install, and if my _general_ outline is
the right way to go about it. There are more appropriate places
for the details.
--
Leo Bicknell - bicknell@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020713034725.GB47677>