[ale] SMTP AUTH SASL

[Chris Ricker]

On 21 May 2002, Bradley Glonka wrote:

> 
> 
> Red Hat has made it pretty easy to setup sendmail for SMTP AUTH.
> >From the sendmail.mc file:
> 
> define(`confAUTH_OPTIONS', `A')dnl
> TRUST_AUTH_MECH(`DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
> 
> This works just fine and authenticates a user against a system account.
> 
> Can anyone confirm this is sent via plain text?  I'm pretty sure it is.
> Assuming it is how can SASL support some kind of encryption?

It might be, and it might not.  That configures sendmail to present AUTH 
support via four different methods:  DIGEST-MD5, CRAM-MD5, LOGIN, and PLAIN.  
Of those, the first two are encrypted and the latter two are plain-text 
(login is actually base64-encoded, so really dumb sniffers won't decode it, 
but for all practical purposes it's plain text).

That's what the server tells the client it supports.  What the client 
actually uses is up to the client.  Some clients only support PLAIN / LOGIN 
(most MS Outlook versions), and even for clients which support more, most 
are dumb enough to choose the first negotiated protocol, not the best 
negotiated protocol (so make sure your server presents them in order from 
strongest to weakest, assuming you have to leave PLAIN and LOGIN enabled).

If you have to use PLAIN / LOGIN, the way to encrypt them is to use STARTTLS 
so that the entire SMTP session after the EHLO is tunneled through TLS.

> Or how can I make it authenticate against /etc/sasldb

look at /usr/lib/sasl/Sendmail.conf ; by default, it's configured to do PAM
authentication on Red Hat

later,
chris


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.