[ale] SMTP AUTH SASL

Bradley Glonka bradley at linuxcentral.com
Thu May 23 08:34:36 EDT 2002 


Chris,

> > Red Hat has made it pretty easy to setup sendmail for SMTP AUTH.
> > >From the sendmail.mc file:
> > 
> > define(`confAUTH_OPTIONS', `A')dnl
> > TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> > define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> > 
> > This works just fine and authenticates a user against a system account.
> > 
> > Can anyone confirm this is sent via plain text?  I'm pretty sure it is.
> > Assuming it is how can SASL support some kind of encryption?
> 
> It might be, and it might not.  That configures sendmail to present AUTH 
> support via four different methods:  DIGEST-MD5, CRAM-MD5, LOGIN, and PLAIN.  
> Of those, the first two are encrypted and the latter two are plain-text 
> (login is actually base64-encoded, so really dumb sniffers won't decode it, 
> but for all practical purposes it's plain text).
> 
> That's what the server tells the client it supports.  What the client 
> actually uses is up to the client.  Some clients only support PLAIN / LOGIN 
> (most MS Outlook versions), and even for clients which support more, most 
> are dumb enough to choose the first negotiated protocol, not the best 
> negotiated protocol (so make sure your server presents them in order from 
> strongest to weakest, assuming you have to leave PLAIN and LOGIN enabled).
> 
> If you have to use PLAIN / LOGIN, the way to encrypt them is to use STARTTLS 
> so that the entire SMTP session after the EHLO is tunneled through TLS.
> 
> > Or how can I make it authenticate against /etc/sasldb
> 
> look at /usr/lib/sasl/Sendmail.conf ; by default, it's configured to do PAM
> authentication on Red Hat

Thanks for your feedback on this.  I changed the Sendmail.conf file to
uses sasldb.  Worked like a charm with outlook.

Mozilla is not so charming :)  There is no password field in mozilla for
SMTP Authentication.   So it send the IMAP password.  Since this host is
serving both SMTP and IMAP.  The user is then authenticated with the
system password.  This is crazy cause I told sasl to use sasldb.  I'm
inquiring on the sasl list.

Thanks
Brad


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list