nmh-workers is apparently not processing subscriptions currently, and Doug
is apparently too busy to fix it, so Ken Hornstein asked me to forward this
mail to the list in his stead:
------- Forwarded Message
Return-Path: [EMAIL PROTECTED]
Delivery-Date: Tue May 23 22:05:25 2000
Received: (from uucp@localhost)
by dilvish.speed.net (8.9.3/8.9.3) id WAA73378
for <[EMAIL PROTECTED]>; Tue, 23 May 2000 22:05:23 -0700
X-Authentication-Warning: dilvish.speed.net: uucp set sender to
<[EMAIL PROTECTED]> using -f
Received: from ginger.cmf.nrl.navy.mil(134.207.10.161)
via SMTP by dilvish, id smtpdkLnVUa; Tue May 23 22:05:16 2000
Received: from pendragon.cmf.nrl.navy.mil (pendragon.cmf.nrl.navy.mil [134.207.5.3])
by ginger.cmf.nrl.navy.mil (8.10.1/8.10.1) with ESMTP id e4O586t27237;
Wed, 24 May 2000 01:08:07 -0400 (EDT)
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: SASL patches available for nmh 1.0.4
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
Date: Wed, 24 May 2000 01:08:04 -0400
From: Ken Hornstein <[EMAIL PROTECTED]>
(Note: because of mailing list problems, I can't subscribe to this list.
If you're going to reply to this note, please make sure to include me
as well as the mailing list address, if appropriate).
I've just finished up some code to support SASL authentication for
nmh 1.0.4. This code is available at:
ftp://ftp.cmf.nrl.navy.mil/pub/kenh/nmh-sasl-patch-1.0.4
Some explanation:
SASL is short for "Simple Authentication and Security Layer". It is
an IETF standard for doing authentication in application protocols,
and is supported by protocols such as POP, IMAP, LDAP, & SMTP. A
more complete explanation of SASL can be found in the IETF RFC 2222,
but think of SASL as a way of negotiation a particular security
mechanism out of many that a server could offer, authenticating to
that server, and optionally performing integrity/encryption over
the communication channel.
The code I've written uses a SASL library called Cyrus-SASL; it's
developed by CMU as part of their Cyrus mail project. You can
retrieve it from:
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
This library has the advantage that it abstracts away all of the
details of particular SASL mechanisms; if your code is written
properly, you automatically support any of the authentication
mechanisms supported by the Cyrus SASL library (individual
authentication mechanisms are provided as plugins). Included
in the Cyrus-SASL libraries are authentication mechanism for
CRAM-MD5, Kerberos 4, Kerberos 5 via GSSAPI, and SRP.
The code in the abovementioned patch implements SASL for POP and
SMTP (if you using SMTP as your MTA). I've tested it with the
CRAM-MD5 & GSSAPI mechanisms. I've also added support for encryption
for POP if the mechanism supports it (not all mechanisms do).
Encryption for SMTP is currently not supported (mainly because my
mail server doesn't do SASL encryption yet).
If you're wondering what servers support SASL, well, here's a list.
There are probably more.
POP:
Cyrus-IMAP (which includes a pop3 server), available at
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
Qualcomm qpopper, available from
ftp://ftp.qualcomm.com/eudora/servers/unix/popper/
requires a patch located at:
ftp://ftp.cmf.nrl.navy.mil/pub/kenh/qpopper-sasl-patch-3.0.2
SMTP:
Sendmail 8.10 and above, available from http://www.sendmail.org
qmail has a patch claiming to support SMTP authentication, but
on the one server I tried it on, it did not work (qmail was
returning the wrong initial challenge). YMMV.
There isn't a _whole_ lot of documentation for these patches, but I
did update the appropriate man pages :-)
Questions or comments are welcome. Enjoy!
- --Ken
------- End of Forwarded Message
-----------------------------------------------------------------------
Dan Harkless | To prevent SPAM contamination, please
[EMAIL PROTECTED] | do not post this private email address
SpeedGate Communications, Inc. | to the USENET or WWW. Thank you.
