Ken Hornstein wrote in <20190710152824.2d9b961...@pb-smtp21.pobox.com>: ... |all of the time? Secondly ... I am seeing more and more authentication |methods that require keeping some kind of state and possibly user |interaction in the MUA (GSSAPI and XOAUTH2 are two examples that I have |personally encountered), and that makes doing authentication in the MTA
I could not disagree more, and if its for political reasons; i think that today with TLS plain passwords are all you need, other cruft should leave codebases as soon as possible. The only exception comes with the availability of a system like Kerberos, which can provide you local tickets, with timeouts etc. as requested, shared in between multiple applications in a secure way. I once had "kdestroy -A" in my shell logout file, today i would hook that into my on-lid-close script. Unfortunately i am too stupid to do the real thing and use GELI on FreeBSD aka dm-crypt/LUKS on Linux, ie block level encryption, but even i have an encfs directory which serves my config files, and one encfs loaded once a week which stores the keys. The former includes a PGP encrypted .netrc-style file, which holds all the credentials for Google and my S/MIME keys (my MUA supports "pseudo-hosts" like USER@HOST.smime-cert-key, .smime-cert-cert and .smime-include-certs), and becomes decrypted on the fly. Of course my MUA is still primitive and kees that decrypted stuff in clear, neither does it mprotect() the region nor zeroes that after use. I do not use suspend-to-disk, but still. And it would be better with encfs2, but that will not happen i guess. |very problematic. I think the days of embedded plaintext passwords in |your MTA configuration file are slowly coming to an end. Some kind of shared TLS private key and password service that daemons can use to load such, before they start their privilege- separated childs which only have the readily prepared sessions. And to be unlocked with a Yubikey first. (And with an option to implant that under the skin of an administrators living flesh.) Brave new world. |Like I said in my previous email ... we'll continue to support that. |But I can't recommend it to the average nmh user. | |--Ken | |-- |nmh-workers |https://lists.nongnu.org/mailman/listinfo/nmh-workers --End of <20190710152824.2d9b961...@pb-smtp21.pobox.com> --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) -- nmh-workers https://lists.nongnu.org/mailman/listinfo/nmh-workers