[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] modernizing smtp message submission
From: |
Michael Richardson |
Subject: |
Re: [Nmh-workers] modernizing smtp message submission |
Date: |
Thu, 03 Jul 2014 22:44:43 -0400 |
Lyndon Nerenberg <address@hidden> wrote:
> Submission on port 587 mandates the use of AUTH. This implies we need
> to default to building with SASL support. That means compiling with
> the Cyrus SASL library. But that might not be available. As a fallback
> we could include an internal version of SASL PLAIN. But cleartext
> passwords are evil, therefore we need to build with STARTTLS support.
> Etc.
My take is that if the SASL library is not available, then you don't get
port 587 submission support... you have to use the /usr/sbin/sendmail interface.
I didn't think that 587 requires AUTH; I was pretty sure that I have used
submit on localhost, and my recollection is that /usr/sbin/sendmail (actual
sendmail) starting using port localhost:587 rather than going directly to
disk a decade ago... not sure.. postfix has been my goto for years now.
> This brings us into line with the behaviour of most other MUAs.
> mts.conf (and .mh_profile) are also in need of an overhaul to be able
> to express the permutations of tls/sasl/auth settings and credentials.
> I haven't given this a lot of thought yet, but I think it's critical
> for user's be able to express enough policy to allow things like
> mandating TLS encryption (regardless of SASL mech), enforce per-server
> SASL mechs, auth credentials, etc. I don't know that the current
> config file formats are at all amenable to that ...
agreed.
> If anyone has any thoughts about how to express the various security
> policies in the config files, please speak up. Based on my experiences
> dealing with this in lots of other software (as an end-user) I have a
> good idea of what *doesn't* work, but I'm still far far away from the
> epiphany of good clean configuration syntax for these sorts of policy
> decisions.
fetchmail, which clearly goes in the opposite directly, seems to have a
reasonable configuration set here.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] address@hidden http://www.sandelman.ca/ | ruby on rails [