Re: Dragonfly Mail Agent (dma) in the base system

Reply: michael.osipov_a_siemens.com: "Re: Dragonfly Mail Agent (dma) in the base system"
Reply: David Chisnall : "Re: Dragonfly Mail Agent (dma) in the base system"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <michael.osipov_at_siemens.com>
Date: Sun, 30 Jan 2022 14:01:33 UTC

Hi Ed,

thanks for raising, this is just on time for us. I'd like to describe 
what both cover and not cover and I would expect from a minimal MTA.
I am on 12-STABLE/12.3-RELEASE.

We solely use sendmail with relay via sendmail invocation or SMTP on 
localhost:25. Minimal configuration for scripts and applications running 
on hosts and jails.
Our current corporate messaging service is being phased out for a new 
one which requires authentication via LOGIN or PLAIN and mandatory 
STARTTLS, previous was anonymous and unencrypted.

Sendmail: The biggest problem is that authentication strictly requires 
Cyrus SASL, even for stupid ones like PLAIN/LOGIN, accourding to the 
handbook you must recompile sendmail from base with Cyrus SASL from 
ports to make this possible. A showstopper actually, for two reasons:
1. I don't like mixing base and ports, it just creates a messy system.
2. While this may work with hosts, when you have jails running off a 
RELEASE in Bastille this obviously will not work.
Not going to work with sendmail easily.

DMA: Disclaimer: I haven't tried, but read documentation and source 
code. Although it supports TLS, I don't see any of these [1], I fail to 
see how it verifies the peer. I have never seen something to provide the 
server's fingerprint to verification. It very much feels like an 
SSH-like approach. It does not listen, as documented, on localhost, so 
applications supporting SMTP only will need extra configuration to reach 
out to the relay host directly. Central config at MTA side not possible 
anymore. Although, I don't need certificate-based authentication against 
the relay and DMA supports it, it does not support of using a passphrase 
for the certificate key file like HTTPd supports through mod_ssl. Should 
be a no-brainer these days.

Requirements for a simplistic MTA with a relay host:
* Support TLS or STARTTLS through OpenSSL in base
* Verify server's certificate chain against default certstore 
(/etc/ssl/certs) and log success/failure, e.g, sendmail does this after 
config
* Properly rewrite FROM for local users user@localhost or even <> when 
delivered with sendmail executable
* Accept messages on localhost:25 or a configurable loopback address in 
general (e.g., multihomed with cloned interface and jails) for those 
applications which only support SMTP (e.g., Java Mail or other 
programming libraries)

The issues with certificates and OpenSSL in the base system I have 
already extensively dicussed with kevans@ [2].

I hope this can be put into consideration.

Regards,

Michael

[1] 
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html
[2] https://reviews.freebsd.org/D31487#710650