Claus Aßmann <INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
writes:

Wolfgang Agnes wrote:

I made sure not to add PLAIN or LOGIN, although I'd accept such
authentications if I can make sure the conversation would be always
wrapped in TLS, which I think it would be desirable for port 587. But I
don't if that's easy to do.

Did you read the fine documentation?

AuthOptions
p don't permit mechanisms susceptible to simple
passive attack (e.g., PLAIN, LOGIN), unless a
security layer is active.

Thanks! I am. I'm reading a fine and well-written book in its fourth edition---thanks very much for your attention. :) Now you reminded me
about AuthOptions. And the p-option is now in place and things look
brigther now. Thanks very much.

%openssl s_client -starttls smtp -connect my.host.name:587 -quiet
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = my.host.name
verify return:1
250 HELP
ehlo localhost
250-my.host.name Hello my.host.name [1.2.3.4], pleased to meet you 250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 my.host.name closing connection

(I then enabled PLAIN as well.)

%telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Mon, 11 Nov 2024 08:23:43 -0300 (-03)
ehlo localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 my.host.name closing connection
Connection closed by foreign host.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail. --8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

Wolfgang Agnes <wagnes@jemoni.to> wrote:

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail. --8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
amd64

Supported AUTHentication mechanisms are listed in reply to EHLO
(extended HELO) ESMTP command. EHLO replies list SMTP extensions
supported in the ESMTP session/connection.

ehlo xxx

:< 250-mail.example.org Hello localhost [127.0.0.1], pleased to meet you
:< 250-ENHANCEDSTATUSCODES
:< 250-PIPELINING
:< 250-EXPN
:< 250-VERB
:< 250-8BITMIME
:< 250-SIZE
:< 250-DSN
:< 250-ETRN
:< 250-AUTH DIGEST-MD5 CRAM-MD5
:< 250-DELIVERBY
:< 250 HELP


--
[Andrew] Andrzej A. Filip

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

Andrzej Adam Filip <anfi@onet.eu> writes:

Wolfgang Agnes <wagnes@jemoni.to> wrote:

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail.
--8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
amd64

Supported AUTHentication mechanisms are listed in reply to EHLO
(extended HELO) ESMTP command. EHLO replies list SMTP extensions
supported in the ESMTP session/connection.

ehlo xxx

:< 250-mail.example.org Hello localhost [127.0.0.1], pleased to meet you
:< 250-ENHANCEDSTATUSCODES
:< 250-PIPELINING
:< 250-EXPN
:< 250-VERB
:< 250-8BITMIME
:< 250-SIZE
:< 250-DSN
:< 250-ETRN
:< 250-AUTH DIGEST-MD5 CRAM-MD5
:< 250-DELIVERBY
:< 250 HELP

Thanks! Then I don't have support for authentication.

--8<-------------------------------------------------------->8---
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
EHLO localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I'll have to recompile Sendmail.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

In comp.mail.sendmail Wolfgang Agnes <wagnes@jemoni.to> wrote:

Thanks! Then I don't have support for authentication.

--8<-------------------------------------------------------->8---
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
EHLO localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I'll have to recompile Sendmail.

Not necessarily. I cannot remember the exact conditions, but
sometimes AUTH appears only after the client has issued
STARTTLS to enable the encryption layer. Clients do EHLO again
after the encryption layer is working.

br,
KK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

Wolfgang Agnes <wagnes@jemoni.to> wrote:

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail. --8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
amd64

Do you plan to use dovecot (IMAP)?
YES => AFAIK postfix offers better dovecot integration than sendmail.

--
[Andrew] Andrzej A. Filip

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Wolfgang Agnes <wagnes@jemoni.to> wrote:

[…]
--8<-------------------------------------------------------->8---
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
EHLO localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you 250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I'll have to recompile Sendmail.

Take a look at https://www.sendmail.org/~ca/email/auth.html

--
[Andrew] Andrzej A. Filip

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Wolfgang Agnes <wagnes@jemoni.to> wrote:

Thanks! I don't know how to investigate it further after I type
STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
TLS protocol, which I don't know how.

Please install a perl-based tool called "swaks". From the manual page:

Swaks - Swiss Army Knife SMTP, the all-purpose SMTP transaction tester

and then use its "-tls" option.

With swaks, all SMTP testing becomes very easy indeed.

By the way, I think you're thinking is good---you might be thinking that sendmail wouldn't want credentials traveling in the clear, but I believe
it does accept that if we compile it with AUTH PLAIN, say. I think
saying STARTTLS before will not be required.

You never *compile* Sendmail with "AUTH PLAIN", those are m4 configuration
file options.

br,
KK

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

Andrzej Adam Filip <anfi@onet.eu> writes:

Wolfgang Agnes <wagnes@jemoni.to> wrote:

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail.
--8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
amd64

Do you plan to use dovecot (IMAP)?
YES => AFAIK postfix offers better dovecot integration than sendmail.

(Thanks!) Such as what?

So far I'm not planning on using IMAP. This is just for personal mail
and I prefer the whole thing to be local, so POP3 should be enough to
bring my mail to my personal computer and then I can manage it here.

And I also don't want to plan to run Postfix. I am actually fond of
qmail, but I decided to run the legend once again to (this time) really
learn how it works and celebrate what a great software it has always
been.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Andrzej Adam Filip <anfi@onet.eu> writes:

Wolfgang Agnes <wagnes@jemoni.to> wrote:

[…]
--8<-------------------------------------------------------->8---
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024
07:51:24 -0300 (-03)
EHLO localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I'll have to recompile Sendmail.

Take a look at https://www.sendmail.org/~ca/email/auth.html

Thanks! I'll follow those instruction and report back.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Wolfgang Agnes <wagnes@jemoni.to> writes:

Thanks! I don't know how to investigate it further after I type
STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
TLS protocol, which I don't know how.

You can have openssl connect and issue the STARTTLS, and then continue
with TLS. Like so:

bjorn@miraculix:~$ openssl s_client -connect canardo:25 -starttls smtp -quiet Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = canardo.mork.no
verify return:1
250 HELP
ehlo du
250-canardo.dyn.mork.no Hello [IPv6:2a01:799:10de:2e0a:149a:2079:3a3a:3457], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 canardo.dyn.mork.no closing connection


Drop the "-quiet" option to get more details about the TLS negotiation,
or add other options. You can also send client certificate if you want,
using -key and -cert. And there are plenty of other options as usual
with openssl :-)

See the openssl s_client manual page for more details.


Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

On 08.11.2024 um 17:50 Uhr Andrzej Adam Filip wrote:

Wolfgang Agnes <wagnes@jemoni.to> wrote:

--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail. --8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your
site. 214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or CRAM-MD5. What does that mean? What kind of AUTH support do I
have at the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH
suffices to me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
amd64

Do you plan to use dovecot (IMAP)?
YES => AFAIK postfix offers better dovecot integration than sendmail.

IIRC Dovecot supports getting mail from /var/spool and also via LMTP.

--
kind regards
Marco

Send spam to 1731084657muell@cartoonies.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: comp.unix.bsd.freebsd.misc, comp.unix.programmer

Marco Moock <mm+usenet-es@dorfdsl.de> writes:

On 08.11.2024 um 17:50 Uhr Andrzej Adam Filip wrote:

Do you plan to use dovecot (IMAP)?
YES => AFAIK postfix offers better dovecot integration than sendmail.

IIRC Dovecot supports getting mail from /var/spool and also via LMTP.

There are lots of possibilites. I've been using the dovecot+sendmail
combo for years, and courier+sendmail before that. Have always used
procmail as lda delivering to Maildirs in the users' home dir.

Having

FEATURE(`local_procmail')dnl

in sendmail.mc and

DEFAULT=$HOME/Maildir/

in /etc/procmailrc is enough for delivery. The dovecot config has

mail_location = maildir:~/Maildir

My main reason for that configuration is that it allows each user to
filter mail directly into different imap folders using their own
~/.procmailrc without doing anything extra. Just add procmail rules
delivering to Maildir/.whatever/ instead of the default, and it will
show up in the INBOX.whatever folder in dovecot.

That's just one way to to it. There's a huge menu of mailbox formats and locations. But whatever you choose I'm pretty sure both sendmail and
dovecot can support it.



Bjørn

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)