From owner-freebsd-questions@FreeBSD.ORG  Wed Jun  4 00:09:21 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D44837B401
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Jun 2003 00:09:21 -0700 (PDT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk
	[81.2.69.218])	by mx1.FreeBSD.org (Postfix) with ESMTP id ED46B43FBD
	for <freebsd-questions@freebsd.org>;
	Wed,  4 Jun 2003 00:09:19 -0700 (PDT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1])
	h5477tMJ088840
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 4 Jun 2003 08:09:16 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)h5477sAh088839;
	Wed, 4 Jun 2003 08:07:54 +0100 (BST)	(envelope-from matthew)
Date: Wed, 4 Jun 2003 08:07:54 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: Scott Hiemstra <scott@hiemstra.us>
Message-ID: <20030604070754.GA88489@happy-idiot-talk.infracaninophile.co.uk>
Mail-Followup-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>,
	Scott Hiemstra <scott@hiemstra.us>, freebsd-questions@freebsd.org
References: <20030603232527.M66444@enabled.com>
	<MAEGIICNABPPOCALLOHKGEFNDBAA.scott@hiemstra.us>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="huq684BweRXVnRxX"
Content-Disposition: inline
In-Reply-To: <MAEGIICNABPPOCALLOHKGEFNDBAA.scott@hiemstra.us>
User-Agent: Mutt/1.5.4i
X-Spam-Status: No, hits=-7.5 required=5.0
	tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2,
	      QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES,
	      USER_AGENT_MUTT
	version=2.55
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
cc: freebsd-questions@freebsd.org
Subject: Re: sendmail AUTH_OPTIONS
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jun 2003 07:09:21 -0000


--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 03, 2003 at 07:47:54PM -0400, Scott Hiemstra wrote:
> Noah,
>=20
> I'm no sendmail expert, I prefer qmail myself but with some creative
> googling I found this which I believe will answer your question.
>=20
> http://www.sendmail.org/m4/tweaking_config.html#confAUTH_OPTIONS

That is a good resource (essentially a HTML-ized version of
/usr/share/sendmail/cf/README), but the original poster might find
this chunk out of /usr/share/doc/smm/08.sendmailop/paper.ascii.gz more
useful:

      AuthOptions
                [no short name] List  of  options  for  SMTP
                AUTH  consisting  of  single characters with
                intervening white space or commas.

                    A   Use the AUTH=3D parameter for the MAIL FROM
                        command only when authentication succeeded.
                        This can be used as a workaround for broken
                        MTAs that do not implement RFC 2554 correctly.
                    a   protection from active (non-dictionary) attacks
                        during authentication exchange.
                    c   require mechanisms which pass client credentials,
                        and allow mechanisms which can pass credentials
                        to do so.
                    d   don't permit mechanisms susceptible to passive
                        dictionary attack.
                    f   require forward secrecy between sessions
                        (breaking one won't help break next).
                    p   don't permit mechanisms susceptible to simple
                        passive attack (e.g., PLAIN, LOGIN), unless a
                        security layer is active.
                    y   don't permit mechanisms that allow anonymous login.

                The first option applies to  sendmail  as  a
                client, the others to a server.  Example:

                    O AuthOptions=3Dp,y

                would  disallow  ANONYMOUS as AUTH mechanism
                and would allow PLAIN and LOGIN  only  if  a
                security  layer (e.g., provided by STARTTLS)
                is already active.  The  options  'a',  'c',
                'd',  'f',  'p', and 'y' refer to properties
                of the selected SASL  mechanisms.   Explana-
                tions  of  these  properties can be found in

               [...]

                the Cyrus SASL documentation.

So the OP's sendmail.mc file extract:

    define(`confAUTH_OPTIONS', `A p')dnl

is absolutely fine. Either commas or spaces can be used to separate
the options, so he could use the equivalent:

    define(`confAUTH_OPTIONS', `A,p')dnl

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (FreeBSD)

iD8DBQE+3ZrKdtESqEQa7a0RAhl+AJ9/K71QjqhKOzPdc9AYaoJHE9QzhQCeKaYC
n/COnxOiN9WTpi2CPj3w290=
=jbvf
-----END PGP SIGNATURE-----

--huq684BweRXVnRxX--