From owner-freebsd-hackers Thu Dec 20 6:45:19 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by hub.freebsd.org (Postfix) with ESMTP id 5CEED37B417 for ; Thu, 20 Dec 2001 06:45:16 -0800 (PST) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.11.1/8.11.1) id fBKEirl94148; Thu, 20 Dec 2001 09:44:53 -0500 (EST) (envelope-from bicknell) Date: Thu, 20 Dec 2001 09:44:53 -0500 From: Leo Bicknell To: "Louis A. Mamakos" , Dominic Mitchell Cc: "Roger 'Rocky' Vetterberg" , freebsd-hackers@FreeBSD.ORG, Yung-Sheng Tang Subject: Re: sendmail + auth + ssl + freebsd Message-ID: <20011220144453.GA93793@ussenterprise.ufp.org> Mail-Followup-To: "Louis A. Mamakos" , Dominic Mitchell , Roger 'Rocky' Vetterberg , freebsd-hackers@FreeBSD.ORG, Yung-Sheng Tang References: <20011220022654.GA78232@ussenterprise.ufp.org> <3C215040.9080404@rambo.simx.org> <200112200443.fBK4h4791394@whizzo.transsys.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200112200443.fBK4h4791394@whizzo.transsys.com> Organization: United Federation of Planets Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In a message written on Wed, Dec 19, 2001 at 11:43:04PM -0500, Louis A. Mamakos wrote: > You have to generate a public key certificate and have the private > key available to the sendmail daemon before it will do the STARTTLS > thing. > > I've got a shell script around there that signs a certificate with a > bogus CA which enable the use of STARTTLS. You can't validate the > other end of the connection, but at least it negotiates an encrypted > session. This all seems to make sense, and mirrors the SSL web stuff fairly closely in steps, which only makes sense. From another suggestion, on a FreeBSD-stable box: %sendmail -bv -d0.13 postmaster Version 8.11.6 Compiled with: MAP_REGEX LOG MATCHGECOS MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS QUEUE SCANF SMTP STARTTLS TCPWRAPPERS USERDB XDEBUG So the STARTTLS is compiled into the base binary, add to that: %strings /usr/libexec/sendmail/sendmail | grep SSL | wc -l 56 And it would seem all the SSL bits are there, I think I will play with that. In a message written on Thu, Dec 20, 2001 at 01:58:53PM +0000, Dominic Mitchell wrote: > There are also details given in /etc/defaults/make.conf on my > 4.4-STABLE system, although that file appears to have gone from > current... > > # Setting the following variables modifies the build environment for > # sendmail and its related utilities. For example, SASL support can be > # added with settings such as: > # > # SENDMAIL_CFLAGS=-I/usr/local/include/sasl -DSASL > # SENDMAIL_LDFLAGS=-L/usr/local/lib > # SENDMAIL_LDADD=-lsasl It appears that this would enable SMTP AUTH with SASL. Are there any plans to make SASL be part of the base distribution so this could be made the default? I, for one, think it would be really cool if saying "sendmail="YES"" in /etc/rc.conf gave you a sendmail that could authenticate against the password file, and if you gave it a certificate do SSL. I think that would get a lot more people interested in both options. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message