[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: smtp.gmail.com and nmh | post: problem initializing server; [BHST] T
From: |
Ken Hornstein |
Subject: |
Re: smtp.gmail.com and nmh | post: problem initializing server; [BHST] TLS is not supported |
Date: |
Wed, 19 Aug 2020 13:50:17 -0400 |
>'TLS is not supported' Does this mean I need to rebuild nmh?
Oh, yes (I was wondering why your -snoop output immediately did RSET,
and I guess I never tested that behavior). We try to make sure all of
the packaged versions of nmh are built with TLS suppor, so if you are
using a packaged version please let us know because that should be fixed.
You ALSO want to be building with cyrus-sasl support, just to save you
some time, and probably add in OAuth2 support as well just in case you
need it later.
>Minor question: Is sasl used by tls? My sendmail MTA uses "STARTTLS", and I
>had to set that up, but I'm not familiar with sasl.
>
>https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer
Short answer: yes.
Longer answer: it's a bit of confusing mess, but yes. I'm simplifying things
a WHOLE lot, but for our purposes TLS just does the session encryption
(via STARTTLS or what I call "initial TLS"). The actual authentication
for many protocols uses SASL, and there are a whole bunch of different
SASL mechanisms. I suspect you're using the PLAIN SASL mechanism which
is basically a plaintext username/password, and for SMTP that will look
like:
AUTH PLAIN <username/password base64-encoded>
To muddy the waters a bit, SASL _also_ can do session encryption, but
that's mechanism-specific (we do support that and I use it so I know it
works). Some protocols (like POP) also take a username/password OUTSIDE
of the SASL protocol exchange. Most newer protocols just specify SASL.
I realize that SMTP is not a "new" protocol, but the authentication
piece was added relatively recently.
To simplify things for the modern Internet:
- You always want -tls or -initialtls
- You almost always want -sasl
- Once you figure out which mechanism you are using via -snoop
(it's probably going to be PLAIN), you should specify -saslmech
explicitly. If you don't then we will pick the "best" one we can
do, which usually works fine.
>>And if you don't mind me asking ... I would like to make this information
>>more easily findable. Were you just overwhelmed at where to start?
>
>Maybe a bit lazy and overwhelmed. I think a few more examples would not hurt,
>or if the man pages referred to another doc with examples. Your help, Ralph's
>help, the man pages, and an 'egrep -r' of my nmh mailing list tree helped.
Thanks, I appreciate the feedback. We are trying to make this better
and people ask this a lot, so clearly we need to improve things. I think
I will work on writing an authentication-specific man page.
--Ken