Another SMTP Auth Question

Home » CentOS » Another SMTP Auth Question
CentOS 1 Comment

My ISP has just informed me that we will soon be required to authenticate when connecting to their SMTP server, so I’ve been looking around on the web for how to do that with sendmail (just using auth when connecting outward-bound, nothing else).

I’ve found a page here: http://www.sendmail.org/~ca/email/auth.html that explains it simply (for simple minds, like mine) but it appears to be old-ish.

So, I’m wondering if the recommendation of using:

define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)dnl

is still appropriate, since MD5 is known to be breakable. Are there other hash mechanisms that can be used in SMTP for this purpose?

Also, if someone can help me understand the syntax, I’d appreciate it:
does EXTERNAL mean some external tool not specified here? if so, how is it specified? what such tools would be appropriate?

is there something more robust, e.g., sha256 or similar that should be used here instead?

is GSSAPI internal, or does the external mean EXTERNAL GSSAPI?

Thanks in advance for any tips.

Fred

One thought on - Another SMTP Auth Question

  • Am 2017-03-09 01:15, schrieb Fred Smith:

    DIGEST-MD5 and CRAM-MD5 are shared secret mechanisms. Not the password or it’s hash is transported over the wire.

    EXTERNAL means a lower layer is being used

    No. You can make use of what got implemented by cyrus-sasl.

    GSSAPI is kerberos. No, EXTERNAL and GSSAPI are 2 mechanisms.

    See https://www.cyrusimap.org/docs/cyrus-sasl/2.1.25/

    Only offer or use those mechanisms the partner side can deal with. PLAIN
    over a forcefully TLS secured connection is safe and a defacto standard.

    Alexander

LEAVE A COMMENT