From owner-freebsd-current  Sun Aug 13 10:18:43 2000
Delivered-To: freebsd-current@freebsd.org
Received: from daemon.solid.se (daemon.solid.se [193.15.190.194])
	by hub.freebsd.org (Postfix) with ESMTP
	id B168F37B585; Sun, 13 Aug 2000 10:18:37 -0700 (PDT)
	(envelope-from johan@granlund.nu)
Received: from phoenix.granlund.nu (t5o90p82.telia.com [213.64.7.82])
	(authenticated)
	by daemon.solid.se (8.10.1/8.10.1) with ESMTP id e7DHIWm01326;
	Sun, 13 Aug 2000 19:18:33 +0200 (CEST)
Received: from localhost (johan@localhost)
	by phoenix.granlund.nu (8.10.1/8.10.1) with ESMTP id e7DHIIM88664;
	Sun, 13 Aug 2000 19:18:20 +0200 (CEST)
Date: Sun, 13 Aug 2000 19:18:18 +0200 (CEST)
From: Johan Granlund <johan@granlund.nu>
To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Cc: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>,
	"Scot W. Hetzel" <hetzels@westbend.net>, freebsd-current@FreeBSD.ORG
Subject: Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
In-Reply-To: <4.3.2.7.0.20000813091232.00af8800@router.boolean.net>
Message-ID: <Pine.BSF.4.05.10008131841370.78011-100000@phoenix.granlund.nu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



On Sun, 13 Aug 2000, Kurt D. Zeilenga wrote:

> At 01:49 PM 8/13/00 +0200, Johan Granlund wrote:
> >I think we have to support rfc2554 autenthication (With MECH LOGIN for
> >Outlook) out of the box if we are serius about mailserver and security.
> 
> If you're serious about security, you shouldn't support LOGIN (or PLAIN)
> unless adequate privacy protections are in place.  If you're serious
> about standards, you won't support LOGIN.

Tell that to Microsoft! They only support LOGIN and the users (god bless
them) won't change to another client.

> 
> Given that OpenSSL is in the base system, there is little reason not
> to support BOTH StartTLS and SASL "out of the box".  I would suggest
> the authentication defaults be relative secure, as in "noplain,noanonymous".
> This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms.

Works for me. I _have_ to keep OE5 working somehow until they start
supporting a better mechanism, _Then_ i can ditch LOGIN.

> 
> >A make.conf knob to use a userinstalled library may create problems with
> >different versions of Cysus-SASL. I had some problems with that when
> >uppgrading my mailservers to Sendmail 8.10.
> 
> I'd recommend bringing Cyrus-SASL into the base system eventually
> under the same rational used to bring OpenSSL in.

I agree.

/Johan
> 
> Kurt
> 
> 
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message