Date: Fri, 12 Jul 2002 21:42:26 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Leo Bicknell <bicknell@ufp.org> Cc: freebsd-arch@freebsd.org, louie@TransSys.COM, listsub@rambo.simx.org, leifn@neland.dk Subject: Re: Mail subsystem defaults, adding authentication. Message-ID: <3D2FAFB2.E2E9CF36@mindspring.com> References: <20020713034725.GB47677@ussenterprise.ufp.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Leo Bicknell wrote: > So, I would like comments on the following issues: > > 1) Is it desirable to provide a default install for which SMTP AUTH > against the password file works? Yes. But it's not possible without destorying the ablity of the default install to run over port 25. The contents of the crypt-encrypted password are one-way hashed with an externally unrecoverable salt. The net effect of this is that you can not use crypt-based passwords unless they are encrypted for comparison on the server -- which means passing them over the wire as plaintext. You *force* the use of SSL, if this is enabled. > 2) If yes to #1, is including the cyrus-sasl port in the base > distribution the best way to get a SASL library? [Included > in this is license issues, code quality issues, etc.] If it > is not the best, is there a better choice? You would have to use SMTP over SSL, *NOT* "STARTTLS", and then enforce its use if "SMTP AUTH" is to be used, to make sending passwords in the clear acceptable due to the secure link. You are almost better off simply using SMTP over SSL, and permitting connections only to certificated clients, at which point you can just sign the client certificates and be done with it, without using the "SMTP AUTH" approach at all. An alternate approach would be to use the crypted passwords, with the salt being passed as apart of the SASL dialog, so the crypted password could be passed. This would be less painful, overall, for the server (clients outnumber servers by a large margin), but... it would require client modification, and the definition of an "x-crypt" authentication type (and/or a full RFC process to define it without the "-x"). The OpenLDAP list archives are quire extensive on this subject, as are the Cyrus list archives, and the Sendmail list archives, where there has been a similar desire to use the standard UNIX authentication mechanism with SASL. PAM has the same problem, if it's any consolation. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D2FAFB2.E2E9CF36>