Date: Sat, 23 Nov 2013 05:00:55 -0700 (MST) From: Mike Brown <mike@skew.org> To: freebsd-doc@freebsd.org Subject: Proposal to move Sendmail encryption info to Electronic Mail chapter Message-ID: <201311231200.rANC0uBT001346@chilled.skew.org>
next in thread | raw e-mail | index | archive | help
In the Security chapter, the section 14.8.2 (OpenSSL - Using Certificates) currently just gives one example: using certificates to enable the "STARTTLS" SMTP command in Sendmail, for the purpose of establishing an encrypted connection that hides cleartext passwords sent during authentication (which occurs via the "AUTH" command, if the PLAIN or LOGIN methods are used). This text in 14.8.2 fails to mention the crucial prerequisite that to enable STARTTLS, regardless of whether it's for AUTH, Sendmail must be built with SASL support. Rebuilding Sendmail with SASL support in order to enable AUTH is discussed in the Electronic Mail chapter, section 27.9. Given that Sendmail must be rebuilt with SASL support for both AUTH and STARTTLS, I feel that it would be ideal to combine the two sections by moving the Sendmail configuration info out of 14.8.2 and into 27.9. This combined "SMTP Authentication and Encryption" section can begin by explaining that FreeBSD's stock Sendmail is not built with SASL support, which is needed for both authentication and encryption. It can then explain that in order to get SASL support, either: * Install the mail/sendmail-sasl port (which then requires editing /etc/mail/mailer.conf and /etc/make.conf to fully replace the system's sendmail) or * If you have system source code in /usr/src, [insert steps 1, 4 & 5 from the current section on SMTP Authentication]. This will install the security/cyrus-sasl2 port, modify /etc/make.conf, and rebuild Sendmail. Then we can have a subsection on enabling SMTP Authentication (as covered by steps 2, 3, 6 & 7 in the current text), and we can have a subsection on enabling STARTTLS (using what's currently in section 14.8.2). This latter section would link back to 14.8.1 for an overview of certificate generation. If we proceed, then 14.8.2 will not have much left in it. It can either be removed, or (my preference) it can begin as it does, but link to section 27.9 for details. It could also mention another example use for certificates: enabling HTTPS in Apache HTTPD with mod_ssl or mod_gnutls...not that such content has yet been written. So, does this proposal sound reasonable?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201311231200.rANC0uBT001346>