From owner-freebsd-arch Sat Jul 13 18:46: 5 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23E6337B400 for ; Sat, 13 Jul 2002 18:46:02 -0700 (PDT) Received: from ussenterprise.ufp.org (ussenterprise.ufp.org [208.185.30.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76CB843E4A for ; Sat, 13 Jul 2002 18:46:01 -0700 (PDT) (envelope-from bicknell@ussenterprise.ufp.org) Received: (from bicknell@localhost) by ussenterprise.ufp.org (8.11.1/8.11.1) id g6E1k0171060 for freebsd-arch@FreeBSD.ORG; Sat, 13 Jul 2002 21:46:00 -0400 (EDT) (envelope-from bicknell) Date: Sat, 13 Jul 2002 21:46:00 -0400 From: Leo Bicknell To: freebsd-arch@FreeBSD.ORG Subject: Re: Mail subsystem defaults, adding authentication. Message-ID: <20020714014600.GA70961@ussenterprise.ufp.org> References: <20020713034725.GB47677@ussenterprise.ufp.org> <3D2FAFB2.E2E9CF36@mindspring.com> <20020713045704.GA49379@ussenterprise.ufp.org> <3D300FD4.7479A8E5@mindspring.com> <20020713132616.GB58979@ussenterprise.ufp.org> <20020713105528.A24650@zardoc.esmtp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020713105528.A24650@zardoc.esmtp.org> Organization: United Federation of Planets Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG In a message written on Sat, Jul 13, 2002 at 10:55:28AM -0700, Claus Assmann wrote: > AuthOptions > ... > Example: > > O AuthOptions=p,y > > would disallow ANONYMOUS as AUTH mechanism > and would allow PLAIN only if a security > layer (e.g., provided by STARTTLS) is > already active. .... Thanks. I found a document on the authoptions earlier, but it confused me more than it enlightened me. This, plus Greg's mail makes a lot more things clear. Tomorrow I'll write up a better summary with this new info. At the end of the day it looks like if we add cyrus-sasl, which is BSD licensed then the default behavior will be unchanged, but it will be possible through a combination of rc.conf options, running saslpasswd, and/or running ssl key generation tools to do auth on a non-encrypted session using challenge response (against sasl passwords), or do auth against the password file (or any PAM method) over an ssl session. Thus we could make it as simple as 'sendmail_auth="unix"' (or pam, or whatever) for an admin to allow end clients to starttls, auth, and securely send e-mail all with their existing credential. That is exactly what I want to promote. Hopefully people will agree, and we can get to the code details (which actually seem really simple). -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message