--8<-------------------------------------------------------->8---
(*) Followup-To

comp.mail.sendmail

I suggest we take this thread to comp.mail.sendmail.
--8<-------------------------------------------------------->8---

Here's what I see when I say ``HELP'' to my sendmail:

214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

It shows AUTH. But it doesn't show anything else such as PLAIN or
CRAM-MD5. What does that mean? What kind of AUTH support do I have at
the moment?

I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
me, then I wouldn't install anything else.

# pkg info | grep cyrus
#

# uname -a
FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC amd64

Wolfgang Agnes <wagnes@jemoni.to> wrote:
> --8<-------------------------------------------------------->8---
> (*) Followup-To
>
> comp.mail.sendmail
>
> I suggest we take this thread to comp.mail.sendmail.
> --8<-------------------------------------------------------->8---
>
> Here's what I see when I say ``HELP'' to my sendmail:
>
> 214-2.0.0 This is sendmail version 8.18.1
> 214-2.0.0 Topics:
> 214-2.0.0 HELO EHLO MAIL RCPT DATA
> 214-2.0.0 RSET NOOP QUIT HELP VRFY
> 214-2.0.0 EXPN VERB ETRN DSN AUTH
> 214-2.0.0 STARTTLS
> 214-2.0.0 For more info use "HELP <topic>".
> 214-2.0.0 To report bugs in the implementation see
> 214-2.0.0 http://www.sendmail.org/email-addresses.html
> 214-2.0.0 For local information send email to Postmaster at your site.
> 214 2.0.0 End of HELP info
>
> It shows AUTH. But it doesn't show anything else such as PLAIN or
> CRAM-MD5. What does that mean? What kind of AUTH support do I have at
> the moment?
>
> I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
> me, then I wouldn't install anything else.
>
> # pkg info | grep cyrus
> #
>
> # uname -a
> FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
> amd64

Supported AUTHentication mechanisms are listed in reply to EHLO
(extended HELO) ESMTP command. EHLO replies list SMTP extensions
supported in the ESMTP session/connection.

:> ehlo xxx
:< 250-mail.example.org Hello localhost [127.0.0.1], pleased to meet you
:< 250-ENHANCEDSTATUSCODES
:< 250-PIPELINING
:< 250-EXPN
:< 250-VERB
:< 250-8BITMIME
:< 250-SIZE
:< 250-DSN
:< 250-ETRN
:< 250-AUTH DIGEST-MD5 CRAM-MD5
:< 250-DELIVERBY
:< 250 HELP

--
[Andrew] Andrzej A. Filip

Andrzej Adam Filip <anfi@onet.eu> writes:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> --8<-------------------------------------------------------->8---
>> (*) Followup-To
>>
>> comp.mail.sendmail
>>
>> I suggest we take this thread to comp.mail.sendmail.
>> --8<-------------------------------------------------------->8---
>>
>> Here's what I see when I say ``HELP'' to my sendmail:
>>
>> 214-2.0.0 This is sendmail version 8.18.1
>> 214-2.0.0 Topics:
>> 214-2.0.0 HELO EHLO MAIL RCPT DATA
>> 214-2.0.0 RSET NOOP QUIT HELP VRFY
>> 214-2.0.0 EXPN VERB ETRN DSN AUTH
>> 214-2.0.0 STARTTLS
>> 214-2.0.0 For more info use "HELP <topic>".
>> 214-2.0.0 To report bugs in the implementation see
>> 214-2.0.0 http://www.sendmail.org/email-addresses.html
>> 214-2.0.0 For local information send email to Postmaster at your site.
>> 214 2.0.0 End of HELP info
>>
>> It shows AUTH. But it doesn't show anything else such as PLAIN or
>> CRAM-MD5. What does that mean? What kind of AUTH support do I have at
>> the moment?
>>
>> I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
>> me, then I wouldn't install anything else.
>>
>> # pkg info | grep cyrus
>> #
>>
>> # uname -a
>> FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
>> amd64
>
> Supported AUTHentication mechanisms are listed in reply to EHLO
> (extended HELO) ESMTP command. EHLO replies list SMTP extensions
> supported in the ESMTP session/connection.
>
> :> ehlo xxx
> :< 250-mail.example.org Hello localhost [127.0.0.1], pleased to meet you
> :< 250-ENHANCEDSTATUSCODES
> :< 250-PIPELINING
> :< 250-EXPN
> :< 250-VERB
> :< 250-8BITMIME
> :< 250-SIZE
> :< 250-DSN
> :< 250-ETRN
> :< 250-AUTH DIGEST-MD5 CRAM-MD5
> :< 250-DELIVERBY
> :< 250 HELP

Thanks! Then I don't have support for authentication.

--8<-------------------------------------------------------->8---
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
EHLO localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I'll have to recompile Sendmail.

In comp.mail.sendmail Wolfgang Agnes <wagnes@jemoni.to> wrote:
> Thanks! Then I don't have support for authentication.
>
> --8<-------------------------------------------------------->8---
> 220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
> EHLO localhost
> 250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> --8<-------------------------------------------------------->8---
>
> I'll have to recompile Sendmail.

Not necessarily. I cannot remember the exact conditions, but
sometimes AUTH appears only after the client has issued
STARTTLS to enable the encryption layer. Clients do EHLO again
after the encryption layer is working.

br,
KK

Wolfgang Agnes <wagnes@jemoni.to> wrote:
> […]
> --8<-------------------------------------------------------->8---
> 220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 07:51:24 -0300 (-03)
> EHLO localhost
> 250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-STARTTLS
> 250-DELIVERBY
> 250 HELP
> --8<-------------------------------------------------------->8---
>
> I'll have to recompile Sendmail.

Take a look at https://www.sendmail.org/~ca/email/auth.html

--
[Andrew] Andrzej A. Filip

Wolfgang Agnes <wagnes@jemoni.to> wrote:
> --8<-------------------------------------------------------->8---
> (*) Followup-To
>
> comp.mail.sendmail
>
> I suggest we take this thread to comp.mail.sendmail.
> --8<-------------------------------------------------------->8---
>
> Here's what I see when I say ``HELP'' to my sendmail:
>
> 214-2.0.0 This is sendmail version 8.18.1
> 214-2.0.0 Topics:
> 214-2.0.0 HELO EHLO MAIL RCPT DATA
> 214-2.0.0 RSET NOOP QUIT HELP VRFY
> 214-2.0.0 EXPN VERB ETRN DSN AUTH
> 214-2.0.0 STARTTLS
> 214-2.0.0 For more info use "HELP <topic>".
> 214-2.0.0 To report bugs in the implementation see
> 214-2.0.0 http://www.sendmail.org/email-addresses.html
> 214-2.0.0 For local information send email to Postmaster at your site.
> 214 2.0.0 End of HELP info
>
> It shows AUTH. But it doesn't show anything else such as PLAIN or
> CRAM-MD5. What does that mean? What kind of AUTH support do I have at
> the moment?
>
> I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
> me, then I wouldn't install anything else.
>
> # pkg info | grep cyrus
> #
>
> # uname -a
> FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
> amd64

Do you plan to use dovecot (IMAP)?
YES => AFAIK postfix offers better dovecot integration than sendmail.

--
[Andrew] Andrzej A. Filip

kalevi@kolttonen.fi (Kalevi Kolttonen) writes:

> In comp.mail.sendmail Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> Thanks! Then I don't have support for authentication.
>>
>> --8<-------------------------------------------------------->8---
>> 220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024
>> 07:51:24 -0300 (-03)
>> EHLO localhost
>> 250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-8BITMIME
>> 250-SIZE
>> 250-DSN
>> 250-ETRN
>> 250-STARTTLS
>> 250-DELIVERBY
>> 250 HELP
>> --8<-------------------------------------------------------->8---
>>
>> I'll have to recompile Sendmail.
>
> Not necessarily. I cannot remember the exact conditions, but
> sometimes AUTH appears only after the client has issued
> STARTTLS to enable the encryption layer. Clients do EHLO again
> after the encryption layer is working.

Thanks! I don't know how to investigate it further after I type
STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
TLS protocol, which I don't know how.

By the way, I think you're thinking is good---you might be thinking that
sendmail wouldn't want credentials traveling in the clear, but I believe
it does accept that if we compile it with AUTH PLAIN, say. I think
saying STARTTLS before will not be required.

The book

sendmail
Bryan Costales, George Jansen
& Claus Assmann with Gregory Neil Shapiro
O'Reilly, 2007, fourth edition, ISBN 978-0-596-51029-9

seems to confirm that I don't have AUTH support. On section 5.1.2.1, we
find:

--8<-------------------------------------------------------->8---
Before you install sendmail, test it to be sure the added SASL support
has worked. You can do this by running sendmail from the directory in
which it was built. Note that you must do this as root:

# obj.*/sendmail/sendmail -bs -Am

Here, we run the newly built sendmail relative to the source
directory. The -bs tells sendmail to speak SMTP on its standard
input. The -Am tells sendmail to use its server configuration file (not
submit.cf), even though it is running in mail-submission mode.

Such a test session might look like this:

220 your.host.domain ESMTP Sendmail 8.14.1/8.14.1; Fri, 14 Dec 2007 11:43:02 -0700
(PST)
ehlo your.host.domain
250-your.host.domain Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 <-- note this line
250-DELIVERBY
250 HELP
quit
221 2.0.0 your.host.domain closing connection

Here, the AUTH SMTP keyword appears, indicating that this site supports SASL
authentication and two modes of authentication as shown earlier.
--8<-------------------------------------------------------->8---

And here's my test:

--8<-------------------------------------------------------->8---
# /usr/sbin/sendmail -bs -Am
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024 15:29:21 -0300 (-03)
help
214-2.0.0 This is sendmail version 8.18.1
214-2.0.0 Topics:
214-2.0.0 HELO EHLO MAIL RCPT DATA
214-2.0.0 RSET NOOP QUIT HELP VRFY
214-2.0.0 EXPN VERB ETRN DSN AUTH
214-2.0.0 STARTTLS
214-2.0.0 For more info use "HELP <topic>".
214-2.0.0 To report bugs in the implementation see
214-2.0.0 http://www.sendmail.org/email-addresses.html
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info
EHLO localhost
250-my.host.name Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
HELP <--- I lose the connection here
# --8<-------------------------------------------------------->8---

In maillog, I find:

--8<-------------------------------------------------------->8---
Nov 8 15:29:44 my.host sendmail[16217]: tls_srv_features=(null), relay=(null) [0]
Nov 8 15:29:44 my.host sendmail[16217]: tls_srv_features=empty, stat=0, relay=(null) [0]
--8<-------------------------------------------------------->8---

besides other irrelevant lines.

I find curious, though, that if I don't have SASL support, why should I
see the command AUTH as the answer to HELP? (I seem to have no
mechanism compiled-in for authentication.)

Andrzej Adam Filip <anfi@onet.eu> writes:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> --8<-------------------------------------------------------->8---
>> (*) Followup-To
>>
>> comp.mail.sendmail
>>
>> I suggest we take this thread to comp.mail.sendmail.
>> --8<-------------------------------------------------------->8---
>>
>> Here's what I see when I say ``HELP'' to my sendmail:
>>
>> 214-2.0.0 This is sendmail version 8.18.1
>> 214-2.0.0 Topics:
>> 214-2.0.0 HELO EHLO MAIL RCPT DATA
>> 214-2.0.0 RSET NOOP QUIT HELP VRFY
>> 214-2.0.0 EXPN VERB ETRN DSN AUTH
>> 214-2.0.0 STARTTLS
>> 214-2.0.0 For more info use "HELP <topic>".
>> 214-2.0.0 To report bugs in the implementation see
>> 214-2.0.0 http://www.sendmail.org/email-addresses.html
>> 214-2.0.0 For local information send email to Postmaster at your site.
>> 214 2.0.0 End of HELP info
>>
>> It shows AUTH. But it doesn't show anything else such as PLAIN or
>> CRAM-MD5. What does that mean? What kind of AUTH support do I have at
>> the moment?
>>
>> I have no cyrus packages installed on this FreeBSD. If AUTH suffices to
>> me, then I wouldn't install anything else.
>>
>> # pkg info | grep cyrus
>> #
>>
>> # uname -a
>> FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
>> amd64
>
> Do you plan to use dovecot (IMAP)?
> YES => AFAIK postfix offers better dovecot integration than sendmail.

(Thanks!) Such as what?

So far I'm not planning on using IMAP. This is just for personal mail
and I prefer the whole thing to be local, so POP3 should be enough to
bring my mail to my personal computer and then I can manage it here.

And I also don't want to plan to run Postfix. I am actually fond of
qmail, but I decided to run the legend once again to (this time) really
learn how it works and celebrate what a great software it has always
been.

Andrzej Adam Filip <anfi@onet.eu> writes:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> […]
>> --8<-------------------------------------------------------->8---
>> 220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024
>> 07:51:24 -0300 (-03)
>> EHLO localhost
>> 250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-8BITMIME
>> 250-SIZE
>> 250-DSN
>> 250-ETRN
>> 250-STARTTLS
>> 250-DELIVERBY
>> 250 HELP
>> --8<-------------------------------------------------------->8---
>>
>> I'll have to recompile Sendmail.
>
> Take a look at https://www.sendmail.org/~ca/email/auth.html

Thanks! I'll follow those instruction and report back.

Wolfgang Agnes <wagnes@jemoni.to> wrote:
> Thanks! I don't know how to investigate it further after I type
> STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
> TLS protocol, which I don't know how.

Please install a perl-based tool called "swaks". From the manual page:

Swaks - Swiss Army Knife SMTP, the all-purpose SMTP transaction tester

and then use its "-tls" option.

With swaks, all SMTP testing becomes very easy indeed.

> By the way, I think you're thinking is good---you might be thinking that
> sendmail wouldn't want credentials traveling in the clear, but I believe
> it does accept that if we compile it with AUTH PLAIN, say. I think
> saying STARTTLS before will not be required.

You never *compile* Sendmail with "AUTH PLAIN", those are m4 configuration
file options.

br,
KK

On 08.11.2024 um 17:50 Uhr Andrzej Adam Filip wrote:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
> > --8<-------------------------------------------------------->8---
> > (*) Followup-To
> >
> > comp.mail.sendmail
> >
> > I suggest we take this thread to comp.mail.sendmail.
> > --8<-------------------------------------------------------->8---
> >
> > Here's what I see when I say ``HELP'' to my sendmail:
> >
> > 214-2.0.0 This is sendmail version 8.18.1
> > 214-2.0.0 Topics:
> > 214-2.0.0 HELO EHLO MAIL RCPT DATA
> > 214-2.0.0 RSET NOOP QUIT HELP VRFY
> > 214-2.0.0 EXPN VERB ETRN DSN AUTH
> > 214-2.0.0 STARTTLS
> > 214-2.0.0 For more info use "HELP <topic>".
> > 214-2.0.0 To report bugs in the implementation see
> > 214-2.0.0 http://www.sendmail.org/email-addresses.html
> > 214-2.0.0 For local information send email to Postmaster at your
> > site. 214 2.0.0 End of HELP info
> >
> > It shows AUTH. But it doesn't show anything else such as PLAIN or
> > CRAM-MD5. What does that mean? What kind of AUTH support do I
> > have at the moment?
> >
> > I have no cyrus packages installed on this FreeBSD. If AUTH
> > suffices to me, then I wouldn't install anything else.
> >
> > # pkg info | grep cyrus
> > #
> >
> > # uname -a
> > FreeBSD my.host.name 14.1-RELEASE-p5 FreeBSD 14.1-RELEASE-p5 GENERIC
> > amd64
>
> Do you plan to use dovecot (IMAP)?
> YES => AFAIK postfix offers better dovecot integration than sendmail.

IIRC Dovecot supports getting mail from /var/spool and also via LMTP.

--
kind regards
Marco

Send spam to 1731084657muell@cartoonies.org

Wolfgang Agnes <wagnes@jemoni.to> writes:

> Thanks! I don't know how to investigate it further after I type
> STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
> TLS protocol, which I don't know how.

You can have openssl connect and issue the STARTTLS, and then continue
with TLS. Like so:

bjorn@miraculix:~$ openssl s_client -connect canardo:25 -starttls smtp -quiet
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R11
verify return:1
depth=0 CN = canardo.mork.no
verify return:1
250 HELP
ehlo du
250-canardo.dyn.mork.no Hello [IPv6:2a01:799:10de:2e0a:149a:2079:3a3a:3457], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH PLAIN LOGIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 canardo.dyn.mork.no closing connection

Drop the "-quiet" option to get more details about the TLS negotiation,
or add other options. You can also send client certificate if you want,
using -key and -cert. And there are plenty of other options as usual
with openssl :-)

See the openssl s_client manual page for more details.

Bjørn

Marco Moock <mm+usenet-es@dorfdsl.de> writes:
> On 08.11.2024 um 17:50 Uhr Andrzej Adam Filip wrote:
>
>> Do you plan to use dovecot (IMAP)?
>> YES => AFAIK postfix offers better dovecot integration than sendmail.
>
> IIRC Dovecot supports getting mail from /var/spool and also via LMTP.

There are lots of possibilites. I've been using the dovecot+sendmail
combo for years, and courier+sendmail before that. Have always used
procmail as lda delivering to Maildirs in the users' home dir.

Having

FEATURE(`local_procmail')dnl

in sendmail.mc and

DEFAULT=$HOME/Maildir/

in /etc/procmailrc is enough for delivery. The dovecot config has

mail_location = maildir:~/Maildir

My main reason for that configuration is that it allows each user to
filter mail directly into different imap folders using their own
~/.procmailrc without doing anything extra. Just add procmail rules
delivering to Maildir/.whatever/ instead of the default, and it will
show up in the INBOX.whatever folder in dovecot.

That's just one way to to it. There's a huge menu of mailbox formats and
locations. But whatever you choose I'm pretty sure both sendmail and
dovecot can support it.

Bjørn

kalevi@kolttonen.fi (Kalevi Kolttonen) writes:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> Thanks! I don't know how to investigate it further after I type
>> STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
>> TLS protocol, which I don't know how.
>
> Please install a perl-based tool called "swaks". From the manual page:
>
> Swaks - Swiss Army Knife SMTP, the all-purpose SMTP transaction tester
>
> and then use its "-tls" option.
>
> With swaks, all SMTP testing becomes very easy indeed.

Pretty useful. Thanks!

>> By the way, I think you're thinking is good---you might be thinking that
>> sendmail wouldn't want credentials traveling in the clear, but I believe
>> it does accept that if we compile it with AUTH PLAIN, say. I think
>> saying STARTTLS before will not be required.
>
> You never *compile* Sendmail with "AUTH PLAIN", those are m4 configuration
> file options.

Point taken. On the other hand, we could perhaps call the process of
writing the sendmail.cf file as a certain compilation? Because we read
a file that seems to be written in a certain domain-specific language
and then a program writes the sendmail.cf, which looks like a
lower-level type of language. :)

Bjørn Mork <bjorn@mork.no> writes:

> Wolfgang Agnes <wagnes@jemoni.to> writes:
>
>> Thanks! I don't know how to investigate it further after I type
>> STARTTLS. I believe that after I issue STARTTLS, I'd have to speak the
>> TLS protocol, which I don't know how.
>
> You can have openssl connect and issue the STARTTLS, and then continue
> with TLS. Like so:
>
> bjorn@miraculix:~$ openssl s_client -connect canardo:25 -starttls smtp -quiet
> Can't use SSL_get_servername
> depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
> verify return:1
> depth=1 C = US, O = Let's Encrypt, CN = R11
> verify return:1
> depth=0 CN = canardo.mork.no
> verify return:1
> 250 HELP
> ehlo du
> 250-canardo.dyn.mork.no Hello
> [IPv6:2a01:799:10de:2e0a:149a:2079:3a3a:3457], pleased to meet you
> 250-ENHANCEDSTATUSCODES
> 250-PIPELINING
> 250-EXPN
> 250-VERB
> 250-8BITMIME
> 250-SIZE
> 250-DSN
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250-DELIVERBY
> 250 HELP
> quit
> 221 2.0.0 canardo.dyn.mork.no closing connection

Nice! Thanks for the illustration. Didn't know openssl also made that
pretty easy.

Andrzej Adam Filip <anfi@onet.eu> writes:

> Wolfgang Agnes <wagnes@jemoni.to> wrote:
>> […]
>> --8<-------------------------------------------------------->8---
>> 220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Fri, 8 Nov 2024
>> 07:51:24 -0300 (-03)
>> EHLO localhost
>> 250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
>> 250-ENHANCEDSTATUSCODES
>> 250-PIPELINING
>> 250-8BITMIME
>> 250-SIZE
>> 250-DSN
>> 250-ETRN
>> 250-STARTTLS
>> 250-DELIVERBY
>> 250 HELP
>> --8<-------------------------------------------------------->8---
>>
>> I'll have to recompile Sendmail.
>
> Take a look at https://www.sendmail.org/~ca/email/auth.html

Thanks! I now have support for DIGEST-MD5 and CRAM-MD5.

--8<-------------------------------------------------------->8---
# sendmail -bs -Am
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Sat, 9 Nov 2024 17:26:51 -0300 (-03)
ehlo localhost
250-my.host.name Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
--8<-------------------------------------------------------->8---

I made sure not to add PLAIN or LOGIN, although I'd accept such
authentications if I can make sure the conversation would be always
wrapped in TLS, which I think it would be desirable for port 587. But I
don't if that's easy to do.

Anyway, thanks for the help.

Wolfgang Agnes wrote:

> I made sure not to add PLAIN or LOGIN, although I'd accept such
> authentications if I can make sure the conversation would be always
> wrapped in TLS, which I think it would be desirable for port 587. But I
> don't if that's easy to do.

Did you read the fine documentation?

AuthOptions
p don't permit mechanisms susceptible to simple
passive attack (e.g., PLAIN, LOGIN), unless a
security layer is active.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Claus Aßmann
<INVALID_NO_CC_REMOVE_IF_YOU_DO_NOT_POST_ml+sendmail(-no-copies-please)@esmtp.org>
writes:

> Wolfgang Agnes wrote:
>
>> I made sure not to add PLAIN or LOGIN, although I'd accept such
>> authentications if I can make sure the conversation would be always
>> wrapped in TLS, which I think it would be desirable for port 587. But I
>> don't if that's easy to do.
>
> Did you read the fine documentation?
>
>
> AuthOptions
> p don't permit mechanisms susceptible to simple
> passive attack (e.g., PLAIN, LOGIN), unless a
> security layer is active.

Thanks! I am. I'm reading a fine and well-written book in its fourth
edition---thanks very much for your attention. :) Now you reminded me
about AuthOptions. And the p-option is now in place and things look
brigther now. Thanks very much.

%openssl s_client -starttls smtp -connect my.host.name:587 -quiet
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = E5
verify return:1
depth=0 CN = my.host.name
verify return:1
250 HELP
ehlo localhost
250-my.host.name Hello my.host.name [1.2.3.4], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit
221 2.0.0 my.host.name closing connection

(I then enabled PLAIN as well.)

%telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 my.host.name ESMTP Sendmail 8.18.1/8.18.1; Mon, 11 Nov 2024 08:23:43 -0300 (-03)
ehlo localhost
250-my.host.name Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-AUTH DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
quit
221 2.0.0 my.host.name closing connection
Connection closed by foreign host.