From owner-freebsd-current  Sun Aug 13  9:22:12 2000
Delivered-To: freebsd-current@freebsd.org
Received: from infidel.boolean.net (router.boolean.net [198.144.206.49])
	by hub.freebsd.org (Postfix) with ESMTP
	id B213537B94E; Sun, 13 Aug 2000 09:22:08 -0700 (PDT)
	(envelope-from Kurt@OpenLDAP.org)
Received: from gypsy.OpenLDAP.org (gypsy.boolean.net [198.144.202.243])
	by infidel.boolean.net (8.9.3/8.9.3) with ESMTP id QAA21984;
	Sun, 13 Aug 2000 16:22:03 GMT
	(envelope-from Kurt@OpenLDAP.org)
Message-Id: <4.3.2.7.0.20000813091232.00af8800@router.boolean.net>
X-Sender: guru@router.boolean.net
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Sun, 13 Aug 2000 09:20:05 -0700
To: Johan Granlund <johan@granlund.nu>
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
Cc: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>,
	"Scot W. Hetzel" <hetzels@westbend.net>, freebsd-current@FreeBSD.ORG
In-Reply-To: <Pine.BSF.4.05.10008131324140.78011-100000@phoenix.granlund
 .nu>
References: <14741.55147.202130.156007@horsey.gshapiro.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 01:49 PM 8/13/00 +0200, Johan Granlund wrote:
>I think we have to support rfc2554 autenthication (With MECH LOGIN for
>Outlook) out of the box if we are serius about mailserver and security.

If you're serious about security, you shouldn't support LOGIN (or PLAIN)
unless adequate privacy protections are in place.  If you're serious
about standards, you won't support LOGIN.

Given that OpenSSL is in the base system, there is little reason not
to support BOTH StartTLS and SASL "out of the box".  I would suggest
the authentication defaults be relative secure, as in "noplain,noanonymous".
This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms.

>A make.conf knob to use a userinstalled library may create problems with
>different versions of Cysus-SASL. I had some problems with that when
>uppgrading my mailservers to Sendmail 8.10.

I'd recommend bringing Cyrus-SASL into the base system eventually
under the same rational used to bring OpenSSL in.

Kurt



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message