[2024-07-25 11:10] Christian Schulte <[email protected]> > I'd like to setup opensmtpd on my laptop to use a self hosted smarthost. > In smtpd.conf I have: > > > action "outbound" relay host smtp+tls://user@smarthost:587 auth > <secrets> tls no-verify > > The no-verify is due to the smarthost using a self signed certificate.
There is a (currently not fully documented) ca option for the relay action. You can use this to verify the smarthost. > [...] > Jul 25 10:57:52 x500 smtpd[29053]: 7ebb7ff8c6ccd82b mta error reason=no > supported AUTH method > > [...] > 250-AUTH DIGEST-MD5 CRAM-MD5 > 250-STARTTLS > 250-DELIVERBY > 250 HELP > > Is DIGEST-MD5 and CRAM-MD5 supported by OpenSMTPD? No only "auth plain" and "auth login" is suported. > I would not want to > enable clear text passwords on the smarthost. How to setup OpenSMTPD to > talk to that smarthost using STARTTLS and the supported AUTH methods? First of all it's not a good idea to allow auth without tls. Also MD5 is not considered secure anymore. So for your problem: In general there are two ways for remote password auth. Send the plaintext password ower an encrypted channel or use some challenge response method (i.e. cram or digets) to keep the password secret from listeners. In both cases the channel must be authenticated to be secure against active attacker. The plain version has the benefit that you can store a hash of the password on the server. So when somehow your database leaks an attacker can't use the password. With the challenge response method your server must store the password in plaintext. Because with server authentication you get encryption for free[0] it's consider more secure to use plain text auth and store only a hash of the password. This is also secure with self signed certs, because most user agents use trust on first use when the server use a self signed cert. So I would sugguest to copy your cert to the client and configure a ca to verify the server. Keep in mind your cert needs to have the hostname in the subject or subjectAltName. Then hash the passwords on the server and change the authentication methode to plain or login. Philipp [0] I assume over the Internet
