From owner-freebsd-arch Fri Jul 12 21:12:41 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C44E37B400 for ; Fri, 12 Jul 2002 21:12:39 -0700 (PDT) Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 79F6543E67 for ; Fri, 12 Jul 2002 21:12:38 -0700 (PDT) (envelope-from bicknell@ussenterprise.ufp.org) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.11.1/8.11.1) id g6D3lPV48178; Fri, 12 Jul 2002 23:47:25 -0400 (EDT) (envelope-from bicknell) Date: Fri, 12 Jul 2002 23:47:25 -0400 From: Leo Bicknell To: freebsd-arch@freebsd.org Cc: louie@TransSys.COM, listsub@rambo.simx.org, tlambert2@mindspring.com, leifn@neland.dk Subject: Mail subsystem defaults, adding authentication. Message-ID: <20020713034725.GB47677@ussenterprise.ufp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Organization: United Federation of Planets Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG [Those CC:ed, you send me mail in a freebsd-hackers discussion late last year.] [I am not on freebsd-arch, please keep me in CC's.] Short form: I believe it is important for FreeBSD's default install to either make it easy, or default to a setup that allows SMTP AUTH against the password file. To do this we need to include a SASL library. As such, I would like a SASL library in the base distribution. Long form: FreeBSD already supports STMP over SSL in the default install (if the user creates keys). There is a port for imap-ssl that works quite well, plus there is no imap in the default install. To provide secure, e-mail (sending and receiving) you need a download protocol that is encrypted (imap-ssl), and a sending protocol (SMTP AUTH) that prevents relaying. Since SMTP AUTH does not require non-cleartext passwords, doing SMTP AUTH over SSL is a good idea. SMTP AUTH checks a userid and password. To my knowledge, sendmail only supports using SASL to perform this function. We have SASL libraries in a port. If they are installed, a few flags can be changed so "make world" builds a sendmail that has SASL support. If the SASL port were installed as part of the base system, these flags could be the default. Since all major e-mail clients support IMAP/SSL and SMTP AUTH (usually over SSL, if IMAP/SSL is supported) this seems the right combination for a fully secure, non-open relay configuration. So, I would like comments on the following issues: 1) Is it desirable to provide a default install for which SMTP AUTH against the password file works? 2) If yes to #1, is including the cyrus-sasl port in the base distribution the best way to get a SASL library? [Included in this is license issues, code quality issues, etc.] If it is not the best, is there a better choice? At the end of the day, I think we are close to the right thing, which means imap-ssl is easy to install from a port (and easy to keep separate from the base system). SMTP over SSL seems to already be in the base system. The only thing preventing a user from running a "secure" SMTP/IMAP server from a base install, is the lack of SMTP AUTH. AFAIK, SASL is the only way to get that working, and cyrus-sasl is the best (technically) library available. At this time, I don't want to nit-pick on details, that can be done off list. What I'm really after is if there is support for making SMTP AUTH work in the base install, and if my _general_ outline is the right way to go about it. There are more appropriate places for the details. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message