>'TLS is not supported' Does this mean I need to rebuild nmh? Oh, yes (I was wondering why your -snoop output immediately did RSET, and I guess I never tested that behavior). We try to make sure all of the packaged versions of nmh are built with TLS suppor, so if you are using a packaged version please let us know because that should be fixed. You ALSO want to be building with cyrus-sasl support, just to save you some time, and probably add in OAuth2 support as well just in case you need it later.
>Minor question: Is sasl used by tls? My sendmail MTA uses "STARTTLS", and I >had to set that up, but I'm not familiar with sasl. > >https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer Short answer: yes. Longer answer: it's a bit of confusing mess, but yes. I'm simplifying things a WHOLE lot, but for our purposes TLS just does the session encryption (via STARTTLS or what I call "initial TLS"). The actual authentication for many protocols uses SASL, and there are a whole bunch of different SASL mechanisms. I suspect you're using the PLAIN SASL mechanism which is basically a plaintext username/password, and for SMTP that will look like: AUTH PLAIN <username/password base64-encoded> To muddy the waters a bit, SASL _also_ can do session encryption, but that's mechanism-specific (we do support that and I use it so I know it works). Some protocols (like POP) also take a username/password OUTSIDE of the SASL protocol exchange. Most newer protocols just specify SASL. I realize that SMTP is not a "new" protocol, but the authentication piece was added relatively recently. To simplify things for the modern Internet: - You always want -tls or -initialtls - You almost always want -sasl - Once you figure out which mechanism you are using via -snoop (it's probably going to be PLAIN), you should specify -saslmech explicitly. If you don't then we will pick the "best" one we can do, which usually works fine. >>And if you don't mind me asking ... I would like to make this information >>more easily findable. Were you just overwhelmed at where to start? > >Maybe a bit lazy and overwhelmed. I think a few more examples would not hurt, >or if the man pages referred to another doc with examples. Your help, Ralph's >help, the man pages, and an 'egrep -r' of my nmh mailing list tree helped. Thanks, I appreciate the feedback. We are trying to make this better and people ask this a lot, so clearly we need to improve things. I think I will work on writing an authentication-specific man page. --Ken
