My ISP has just informed me that we will soon be required to authenticate
when connecting to their smtp server, so I've been looking around on the
web for how to do that with sendmail (just using auth when connecting
outward-bound, nothing else).
I've found a page here: http://www.sendmail.org/~ca/email/auth.html
that explains it simply (for simple minds, like mine) but it appears
to be old-ish.
So, I'm wondering if the recommendation of using:
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN
PLAIN')dnl
is still appropriate, since MD5 is known to be breakable. Are there other hash
mechanisms that can be used in SMTP for this purpose?
Also, if someone can help me understand the syntax, I'd appreciate it:
does EXTERNAL mean some external tool not specified here? if so, how
is it specified? what such tools would be appropriate?
is there something more robust, e.g., sha256 or similar that should
be used here instead?
is GSSAPI internal, or does the external mean EXTERNAL GSSAPI?
Thanks in advance for any tips.
Fred
--
-------------------------------------------------------------------------------
Under no circumstances will I ever purchase anything offered to me as
the result of an unsolicited e-mail message. Nor will I forward chain
letters, petitions, mass mailings, or virus warnings to large numbers
of others. This is my contribution to the survival of the online
community.
--Roger Ebert, December, 1996
----------------------------- The Boulder Pledge -----------------------------
Am 2017-03-09 01:15, schrieb Fred Smith:> My ISP has just informed me that we will soon be required to > authenticate > when connecting to their smtp server, so I've been looking around on > the > web for how to do that with sendmail (just using auth when connecting > outward-bound, nothing else). > > I've found a page here: http://www.sendmail.org/~ca/email/auth.html > that explains it simply (for simple minds, like mine) but it appears > to be old-ish. > > So, I'm wondering if the recommendation of using: > > define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 > LOGIN PLAIN')dnl > > is still appropriate, since MD5 is known to be breakable. Are there > other hash > mechanisms that can be used in SMTP for this purpose?DIGEST-MD5 and CRAM-MD5 are shared secret mechanisms. Not the password or it's hash is transported over the wire.> Also, if someone can help me understand the syntax, I'd appreciate it: > does EXTERNAL mean some external tool not specified here? if so, how > is it specified? what such tools would be appropriate?EXTERNAL means a lower layer is being used> is there something more robust, e.g., sha256 or similar that should > be used here instead?No. You can make use of what got implemented by cyrus-sasl.> is GSSAPI internal, or does the external mean EXTERNAL GSSAPI?GSSAPI is kerberos. No, EXTERNAL and GSSAPI are 2 mechanisms.> Thanks in advance for any tips.See https://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/> FredOnly offer or use those mechanisms the partner side can deal with. PLAIN over a forcefully TLS secured connection is safe and a defacto standard. Alexander