sendmail AUTH_OPTIONS

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Jun 4 00:09:21 PDT 2003


On Tue, Jun 03, 2003 at 07:47:54PM -0400, Scott Hiemstra wrote:
> Noah,
> 
> I'm no sendmail expert, I prefer qmail myself but with some creative
> googling I found this which I believe will answer your question.
> 
> http://www.sendmail.org/m4/tweaking_config.html#confAUTH_OPTIONS

That is a good resource (essentially a HTML-ized version of
/usr/share/sendmail/cf/README), but the original poster might find
this chunk out of /usr/share/doc/smm/08.sendmailop/paper.ascii.gz more
useful:

      AuthOptions
                [no short name] List  of  options  for  SMTP
                AUTH  consisting  of  single characters with
                intervening white space or commas.

                    A   Use the AUTH= parameter for the MAIL FROM
                        command only when authentication succeeded.
                        This can be used as a workaround for broken
                        MTAs that do not implement RFC 2554 correctly.
                    a   protection from active (non-dictionary) attacks
                        during authentication exchange.
                    c   require mechanisms which pass client credentials,
                        and allow mechanisms which can pass credentials
                        to do so.
                    d   don't permit mechanisms susceptible to passive
                        dictionary attack.
                    f   require forward secrecy between sessions
                        (breaking one won't help break next).
                    p   don't permit mechanisms susceptible to simple
                        passive attack (e.g., PLAIN, LOGIN), unless a
                        security layer is active.
                    y   don't permit mechanisms that allow anonymous login.

                The first option applies to  sendmail  as  a
                client, the others to a server.  Example:

                    O AuthOptions=p,y

                would  disallow  ANONYMOUS as AUTH mechanism
                and would allow PLAIN and LOGIN  only  if  a
                security  layer (e.g., provided by STARTTLS)
                is already active.  The  options  'a',  'c',
                'd',  'f',  'p', and 'y' refer to properties
                of the selected SASL  mechanisms.   Explana-
                tions  of  these  properties can be found in

               [...]

                the Cyrus SASL documentation.

So the OP's sendmail.mc file extract:

    define(`confAUTH_OPTIONS', `A p')dnl

is absolutely fine. Either commas or spaces can be used to separate
the options, so he could use the equivalent:

    define(`confAUTH_OPTIONS', `A,p')dnl

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030604/116de7f1/attachment.bin


More information about the freebsd-questions mailing list