[CentOS] another SMTP auth question
Alexander Dalloz
ad+lists at uni-x.org
Thu Mar 9 12:33:04 UTC 2017
Am 2017-03-09 01:15, schrieb Fred Smith:
> My ISP has just informed me that we will soon be required to
> authenticate
> when connecting to their smtp server, so I've been looking around on
> the
> web for how to do that with sendmail (just using auth when connecting
> outward-bound, nothing else).
>
> I've found a page here: http://www.sendmail.org/~ca/email/auth.html
> that explains it simply (for simple minds, like mine) but it appears
> to be old-ish.
>
> So, I'm wondering if the recommendation of using:
>
> define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5
> LOGIN PLAIN')dnl
>
> is still appropriate, since MD5 is known to be breakable. Are there
> other hash
> mechanisms that can be used in SMTP for this purpose?
DIGEST-MD5 and CRAM-MD5 are shared secret mechanisms. Not the password
or it's hash is transported over the wire.
> Also, if someone can help me understand the syntax, I'd appreciate it:
> does EXTERNAL mean some external tool not specified here? if so, how
> is it specified? what such tools would be appropriate?
EXTERNAL means a lower layer is being used
> is there something more robust, e.g., sha256 or similar that should
> be used here instead?
No. You can make use of what got implemented by cyrus-sasl.
> is GSSAPI internal, or does the external mean EXTERNAL GSSAPI?
GSSAPI is kerberos. No, EXTERNAL and GSSAPI are 2 mechanisms.
> Thanks in advance for any tips.
See https://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/
> Fred
Only offer or use those mechanisms the partner side can deal with. PLAIN
over a forcefully TLS secured connection is safe and a defacto standard.
Alexander
More information about the CentOS
mailing list