Date: Sat, 13 Jul 2002 04:32:36 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Leo Bicknell <bicknell@ufp.org> Cc: freebsd-arch@freebsd.org, louie@TransSys.COM, listsub@rambo.simx.org, leifn@neland.dk Subject: Re: Mail subsystem defaults, adding authentication. Message-ID: <3D300FD4.7479A8E5@mindspring.com> References: <20020713034725.GB47677@ussenterprise.ufp.org> <3D2FAFB2.E2E9CF36@mindspring.com> <20020713045704.GA49379@ussenterprise.ufp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Leo Bicknell wrote: > Terry Lambert wrote: > > You are almost better off simply using SMTP over SSL, and > > permitting connections only to certificated clients, at which > > point you can just sign the client certificates and be done > > with it, without using the "SMTP AUTH" approach at all. > > I want to address this specifically. > > I have personally been involved with a half dozen situations where > SMTP AUTH against the password file was desired. This isn't really a FreeBSD issue, except for the inclusion of the SASL library in the base system, which is not currently the case. The license on Cyrus SASL is right (BSD license) for it to be included int he base system (one of the things you are asking) and for sendmail to be configured to use it, and linked with it by default (the other thing you are asking). I personally approve of including it, but it *is* "bloat". But integration into the UNIX password mechanism is not really possible at this time. People can want it, but they aren't going to get it, because UNIX passwords are not stored as plaintext, as they are when you use the "saslpasswd" program, and sendmail only advertises SMTP AUTH KERBEROS and CRAM-MD5 mechanisms (per RFC-2222), and not "PLAIN" if saslpasswd(8) has been run, and the saslpasswd file exists. Note that RFC-2595 does not apply to SMTP, and it doesn't apply to what it does apply to, without TLS (SSL). > using protocols supported today by the majority of e-mail > clients. SMTP AUTH, requiring SSL as I outlined before, is the only > solution I have ever found. You need to submit your patches for this to the sendmail people. Without modification, sendmail does not enforce use of SSL for permitting advertisement of SMTP AUTH, and therefore addition of a pseudo-RFC-2595 "PLAIN" or "EXTERNAL X-UNIX" mechansim can not reasonably be added to FreeBSD so that it's operational by default. You might as well argue for rsh or telnet being reenabled by default. The STARTTLS SMTP command doesn't work, because it is issued after the EHLO, which solicits the capabilities list that exposes the SMTP AUTH. The only method that works, therefore, is to use an SSL connection -- SMTPS... port 465, instead of port 25). You can see the order of operation problem, I hope? The normal commercial practice (assuming you aren't also using SASL for IMAP4 server authentication, in which case, the password database is shared, but seperate from the UNIX password database) is to trap UNIX password authentication to the POP3 server, and, on successful authentication, create a corresponding SASL password file entry using the pop3 daemon's knowledge of the unencrypted shared secret (either from it's own database, if APOP is used, or the over the wire value, if USER/PASS is used). In other words, it's something you do with the plaintext in hand, no matter how you look at it. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D300FD4.7479A8E5>