From owner-freebsd-current Sun Aug 13 14:26:19 2000 Delivered-To: freebsd-current@freebsd.org Received: from daemon.solid.se (daemon.solid.se [193.15.190.194]) by hub.freebsd.org (Postfix) with ESMTP id 3835C37B748; Sun, 13 Aug 2000 14:26:08 -0700 (PDT) (envelope-from johan@granlund.nu) Received: from phoenix.granlund.nu (t1o90p108.telia.com [195.67.216.108]) (authenticated) by daemon.solid.se (8.10.1/8.10.1) with ESMTP id e7DLPvm01677; Sun, 13 Aug 2000 23:25:57 +0200 (CEST) Received: from localhost (johan@localhost) by phoenix.granlund.nu (8.10.1/8.10.1) with ESMTP id e7DLPdY89057; Sun, 13 Aug 2000 23:25:40 +0200 (CEST) Date: Sun, 13 Aug 2000 23:25:39 +0200 (CEST) From: Johan Granlund To: Hajimu UMEMOTO Cc: Kurt@OpenLDAP.org, gshapiro@FreeBSD.ORG, hetzels@westbend.net, freebsd-current@FreeBSD.ORG Subject: Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current In-Reply-To: <20000814.014009.55515200.ume@mahoroba.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 14 Aug 2000, Hajimu UMEMOTO wrote: > >>>>> On Sun, 13 Aug 2000 09:20:05 -0700 > >>>>> "Kurt D. Zeilenga" said: > > Kurt> At 01:49 PM 8/13/00 +0200, Johan Granlund wrote: > >I think we have to support rfc2554 autenthication (With MECH LOGIN for > >Outlook) out of the box if we are serius about mailserver and security. > > Kurt> If you're serious about security, you shouldn't support LOGIN (or PLAIN) > Kurt> unless adequate privacy protections are in place. If you're serious > Kurt> about standards, you won't support LOGIN. > > I think so. > Further worse, once PLAIN is activated by sendmail, netscape try to > use AUTH, in anyway. If the user isn't registered in SASL db, the > user cannot send mail anymore. That is, once you decide to use PLAIN, > you must register all of your users in SASL db. I agree that PLAIN/LOGIN should not be enabled by default as it is inherently insecure and should not be encouraged. It can easyly be enabled in a custom .mc file, if wanted, with define(`confAUTH_MECHANISMS', `')dnl define(`confTRUST_AUTH_MECH', `')dnl The snag is that is has to be enabled in the build of the SASL library. The same with KerberosIV and GSSAPI depending of what is installed. N.B This is for 8.10. I havent looked if it has changed for 8.11. If autentication is enabled with SASL, support should be added to adduser/rmuser, or we will have a supportbomb when locally defined user cant send mail remotely. > > -- > Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan > ume@mahoroba.org ume@bisd.hitachi.co.jp ume@FreeBSD.org > http://www.imasy.org/~ume/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message