[CentOS] another SMTP auth question

Thu Mar 9 12:33:04 UTC 2017
Alexander Dalloz <ad+lists at uni-x.org>

Am 2017-03-09 01:15, schrieb Fred Smith:
> My ISP has just informed me that we will soon be required to 
> authenticate
> when connecting to their smtp server, so I've been looking around on 
> the
> web for how to do that with sendmail (just using auth when connecting
> outward-bound, nothing else).
> I've found a page here: http://www.sendmail.org/~ca/email/auth.html
> that explains it simply (for simple minds, like mine) but it appears
> to be old-ish.
> So, I'm wondering if the recommendation of using:
> is still appropriate, since MD5 is known to be breakable. Are there 
> other hash
> mechanisms that can be used in SMTP for this purpose?

DIGEST-MD5 and CRAM-MD5 are shared secret mechanisms. Not the password 
or it's hash is transported over the wire.

> Also, if someone can help me understand the syntax, I'd appreciate it:
> does EXTERNAL mean some external tool not specified here? if so, how
> is it specified? what such tools would be appropriate?

EXTERNAL means a lower layer is being used

> is there something more robust, e.g., sha256 or similar that should
> be used here instead?

No. You can make use of what got implemented by cyrus-sasl.

> is GSSAPI internal, or does the external mean EXTERNAL GSSAPI?

GSSAPI is kerberos. No, EXTERNAL and GSSAPI are 2 mechanisms.

> Thanks in advance for any tips.

See https://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/

> Fred

Only offer or use those mechanisms the partner side can deal with. PLAIN 
over a forcefully TLS secured connection is safe and a defacto standard.