Mental on Wed, 20 Mar 2002 16:39:32 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: question about mail headers


On Wed, 2002-03-20 at 15:27, Mike Leone wrote:
> Hey Mental
> 
> I see this header in your email:
> 
> Received: from localhost.localdomain (root@localhost [127.0.0.1])
>  (authenticated bits=0)
>  by hades.neverlight.com (8.12.2/8.12.2) with ESMTP id g2KKEtpB005712
>  for <plug@lists.phillylinux.org>; Wed, 20 Mar 2002 15:15:00 -0500
> 
> What exactly are "authenticated bits"? :-) Is it a sendmail thing?
> 

Thats the weakass athentication I use to relay through hades. :)

If I were using mozilla, you'd see this:
Received: from neverlight.com (pc76int2.vwrsp.com [66.54.172.10])
(authenticated bits=0) by hades.neverlight.com (8.12.2/8.12.2) with
ESMTP id g2KL2dpB006332 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128
verify=NO) for <mental@neverlight.com>; Wed, 20 Mar 2002 16:02:46 -0500

Not that its much better.

Essentially.... oh boy. This is going to be a ramble, but I'm waiting on
something anyhow.

Short answer: Those headers are the byproduct of smtp authentication.


Long answer: RFC2487, RFC2554 and a couple others (but those 2 are the
interesting ones) outline how to allow users to authenticate before you
allow them to relay. This is great when you have a bunch of people who
want roaming access, but dont want to have ot use their dialup's smtp
server to send word docs, Powerpoint presentations, pornography and
links to the hamster dance to each other. 

Sure, there's stuff like pop before send, but thats a hack (and its
still a clear protocol). So... the powers that be decided it was time
for a way to negotiate a secure connection with the mail server
(STARTTLS), then login (AUTH). Thats what you're seeing.

There are several types of authentication. The most basic and
unfortunately the most common is PLAIN, or LOGIN. This is just user
name/password stuff. If you really wanted to be fancy, you'd use X.500
certificates. I'm lazy. I just login. I depend on the negotiated SSL
tunnel to keep prying eyes from seeing the nonsense I spew forth to the
rest of the world.

The reason Mozilla's crud looks different than Evolution's goo is
because the evolution developers decided that rather than supporting
STARTTLS like every other sane rational client, they'd just support
SMTPS (S is for secure). I guess it was easier. And still, its a nice
client. SMTPS support can be compiled into sendmail easily enough (as
well as AUTH and STARTTLS). 

SMTPS just listens on a different port and negotiates its ssl connection
before it does anything else. Otherwise your mail client should issue a
STARTTLS command BEFORE it does the auth. STARTTLS should look like
this:

220 hades.neverlight.com ESMTP Sendmail 8.12.2/8.12.2; Wed, 20 Mar 2002
16:02:39 -0500
EHLO neverlight.com
250-hades.neverlight.com Hello pc76int2.vwrsp.com [66.54.172.10],
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
?ÙgËA¤A®).6³ê?ü4,??öú$P¨§!'O$m???èî???Ué?á?¥!8]å0ÿEÙq?Þ?2zí8??n$_<¬?¤Nº³)þ+¶½?ë{mzãgÑã<Ìn:??5ußKuÃ?T??
???GÐ}¸É¯hc^¦5cÄ$l&â¦_ûÇ?Æ?Þ?? )Ã*?ùÄ?Ï¿Úª·Ãô?¨LÂ~Qt0nbF õ?Èçj)pѧ­½?ÃZÏ¡{ÀarCaõÓMþ@a?þüùsÅü(?ÖSæ.²à?}ÿb?/üÂI÷,ÛP5ìôº{]???[Ô$D+Ý­òÁÆ(Ò?1

See that? Exactly. :)

Otherwise, you'll need to run a smtps daemon. The fact that the channel
isn't encrypted doesn't necessarily preclude you from doing an AUTH. But
you can configure it to. The goal for me isn't so much the AUTH as it is
securing the AUTH. :)

As far as the bits go, I'm fairly certain that if I were using a cert,
i'd be authenticated with a higher number of bits. :) LOGIN is
essentially clear. 


Still, if I wanted to be more paranoid, I'd use certificate based
authentication and/or kerberos. But, I figure SSL is enough to prevent
the casual bogarting of my username/password, and really, the only thing
I stand to loose out on are my drippy love notes to my grrly.

This is of course different from pgp. Who cares if your message body is
'secure' if the whole world can see you logging in to the mail server to
send it? :)



Oh, and yes, I wrap up my imap connection in an ssl tunnel too. 

And no, this isn't Sendmail specific. Exchange should support it.
Postfix does (as far as I'm aware), and so should exim. I use sendmail
because I understand it and it works. The only difficult bits are
getting SASL, and LDAP linked to sendmail properly. And even that's not
too bad.


-- 
 
Mental (Mental@NeverLight.com)

I wrote a few children's books...  Not on purpose.
--Steven Wright

GPG public key: http://www.neverlight.com/Mental.asc


Attachment: signature.asc
Description: This is a digitally signed message part