Am 2017-03-09 01:15, schrieb Fred Smith: > My ISP has just informed me that we will soon be required to > authenticate > when connecting to their smtp server, so I've been looking around on > the > web for how to do that with sendmail (just using auth when connecting > outward-bound, nothing else). > > I've found a page here: http://www.sendmail.org/~ca/email/auth.html > that explains it simply (for simple minds, like mine) but it appears > to be old-ish. > > So, I'm wondering if the recommendation of using: > > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl > > is still appropriate, since MD5 is known to be breakable. Are there > other hash > mechanisms that can be used in SMTP for this purpose? DIGEST-MD5 and CRAM-MD5 are shared secret mechanisms. Not the password or it's hash is transported over the wire. > Also, if someone can help me understand the syntax, I'd appreciate it: > does EXTERNAL mean some external tool not specified here? if so, how > is it specified? what such tools would be appropriate? EXTERNAL means a lower layer is being used > is there something more robust, e.g., sha256 or similar that should > be used here instead? No. You can make use of what got implemented by cyrus-sasl. > is GSSAPI internal, or does the external mean EXTERNAL GSSAPI? GSSAPI is kerberos. No, EXTERNAL and GSSAPI are 2 mechanisms. > Thanks in advance for any tips. See https://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/ > Fred Only offer or use those mechanisms the partner side can deal with. PLAIN over a forcefully TLS secured connection is safe and a defacto standard. Alexander