Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
According to Gary Schrock: their mail). Now, maybe I just don't know what magic STARTTLS offers me, and I'd convert if I knew better. STARTTLS is a way to do SSL-based encryption between mail servers automatically. TLS is the new name of SSL (Secure Socket Layer). You can use certificates to enables relaying for example (nice for nomad users). Postfix, qmail, probably Exim and some other MTAs do support it, generally through patches. The main problem with Sendmail's one at the moment is the dependency on sfio (a stdio-like library written by ATT people). -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- [EMAIL PROTECTED] FreeBSD keltia.freenix.fr 5.0-CURRENT #80: Sun Jun 4 22:44:19 CEST 2000 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
I'm seeing a small problem with up to the minute sources in the install phase: === usr.sbin/sendmail install -c -o root -g wheel -m 644 /dev/null /var/log/sendmail.st install -c -o root -g wheel -m 444 /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/helpfile /etc/mail/helpfile install -c -s -o root -g wheel -m 4555 sendmail /usr/libexec/sendmail install -c -o root -g wheel -m 444 mailq.1.gz newaliases.1.gz /usr/share/man/man1 install -c -o root -g wheel -m 444 aliases.5.gz /usr/share/man/man5 install -c -o root -g wheel -m 444 sendmail.8.gz /usr/share/man/man8 + cp /etc/aliases /etc/mail/aliases cp: not found *** Error code 127 Stop in /usr/src/usr.sbin/sendmail. *** Error code 1 Stop in /usr/src/usr.sbin. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 1 error /etc/aliases and /etc/mail both exist. Doug To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sat, Aug 12, 2000 at 04:02:03PM -0700, Gregory Neil Shapiro wrote: hetzels Sendmail 8.11 has the ablity to due secure authentication with hetzels mail clients when compiled with Cyrus-SASL. hetzels Will the Cyrus-SASL library be imported to provide this hetzels capability? Or at least a make.conf variable. My first step in the process was to get sendmail up-to-date. Once it is MFC'ed to STABLE, I'll look at enhancements. After September 21, I want to turn on STARTTLS support. I'm not sure about importing SASL -- I might be convinced to put in Makefile support if it happens to already been installed via ports. Getting STARTTLS also means putting sfio into base. Also it would be fine if the hashed ca-cert links are created: bash-2.03# ls -al /etc/ssl/certs total 42 drwxr-xr-x 2 root wheel 1024 Jun 24 11:30 . drwxr-xr-x 4 root wheel 1024 Jun 24 11:21 .. lrwxr-xr-x 1 root wheel 9 Jun 24 11:26 052eae11.0 - tjhCA.pem lrwxr-xr-x 1 root wheel10 Jun 24 11:26 13810d42.0 - cacert.pem lrwxr-xr-x 1 root wheel12 Jun 24 11:26 18d46017.0 - vsigntca.pem lrwxr-xr-x 1 root wheel12 Jun 24 11:26 1ef89214.0 - nortelCA.pem lrwxr-xr-x 1 root wheel11 Jun 24 11:26 1f6c59cd.0 - ca-cert.pem lrwxr-xr-x 1 root wheel11 Jun 24 11:26 24867d38.0 - dsa-pca.pem lrwxr-xr-x 1 root wheel10 Jun 24 11:26 2edf7016.0 - vsign1.pem lrwxr-xr-x 1 root wheel12 Jun 24 11:26 3ecf89a3.0 - ICE-user.pem lrwxr-xr-x 1 root wheel10 Jun 24 11:26 6bee6be3.0 - ICE-CA.pem lrwxr-xr-x 1 root wheel10 Jun 24 11:26 73912336.0 - dsa-ca.pem lrwxr-xr-x 1 root wheel10 Jun 24 11:26 7651b327.0 - vsign3.pem lrwxr-xr-x 1 root wheel 9 Jun 24 11:26 8c401b31.0 - timCA.pem lrwxr-xr-x 1 root wheel12 Jun 24 11:26 8caad35e.0 - pca-cert.pem -rw-r--r-- 1 root wheel 2945 Jun 2 00:05 ICE-CA.pem -rw-r--r-- 1 root wheel 2314 Jun 2 00:05 ICE-root.pem -rw-r--r-- 1 root wheel 3240 Jun 2 00:05 ICE-user.pem [...] -- B.Walter COSMO-Project http://www.cosmo-project.de [EMAIL PROTECTED] Usergroup [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sat, 12 Aug 2000 15:40:24 -0700 (PDT) Gregory Neil Shapiro [EMAIL PROTECTED] said: gshapiro sendmail has been updated from 8.9.3 to 8.11.0. Some of the more visible gshapiro changes that may immediately affect your configuration include: gshapiro - New default file locations from src/contrib/sendmail/cf/README gshapiro - newaliases limited to root and trusted users gshapiro - MSA port (587) turned on by default gshapiro - New queue file naming system so can't go from 8.11 - 8.9 gshapiro - mail.local FreeBSD-only -b option changed to -B gshapiro - FEATURE(`rbl') renamed to FEATURE(`dnsbl') gshapiro - FEATURE(`nullclient') is more full featured gshapiro - FEATURE(`nouucp') requires an argument: `reject' or `nospecial' gshapiro - See src/contrib/sendmail/RELEASE_NOTES for more info Beacuse default confCW_FILE doesn't have -o option, freebsd.mc should have "define(`confCW_FILE', `-o /etc/mail/local-host-names)dnl" line. Unless this, /etc/mail/local-host-names will be mandatory. BTW, I love to see DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6')dnl lines. But, I know this requires IPv6 enabled kernel and to do this is difficult. NetBSD ships two version of sendmail.cf. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
At 01:49 PM 8/13/00 +0200, Johan Granlund wrote: I think we have to support rfc2554 autenthication (With MECH LOGIN for Outlook) out of the box if we are serius about mailserver and security. If you're serious about security, you shouldn't support LOGIN (or PLAIN) unless adequate privacy protections are in place. If you're serious about standards, you won't support LOGIN. Given that OpenSSL is in the base system, there is little reason not to support BOTH StartTLS and SASL "out of the box". I would suggest the authentication defaults be relative secure, as in "noplain,noanonymous". This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms. A make.conf knob to use a userinstalled library may create problems with different versions of Cysus-SASL. I had some problems with that when uppgrading my mailservers to Sendmail 8.10. I'd recommend bringing Cyrus-SASL into the base system eventually under the same rational used to bring OpenSSL in. Kurt To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sun, 13 Aug 2000 09:20:05 -0700 "Kurt D. Zeilenga" [EMAIL PROTECTED] said: Kurt At 01:49 PM 8/13/00 +0200, Johan Granlund wrote: I think we have to support rfc2554 autenthication (With MECH LOGIN for Outlook) out of the box if we are serius about mailserver and security. Kurt If you're serious about security, you shouldn't support LOGIN (or PLAIN) Kurt unless adequate privacy protections are in place. If you're serious Kurt about standards, you won't support LOGIN. I think so. Further worse, once PLAIN is activated by sendmail, netscape try to use AUTH, in anyway. If the user isn't registered in SASL db, the user cannot send mail anymore. That is, once you decide to use PLAIN, you must register all of your users in SASL db. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sun 2000-08-13 (09:20), Kurt D. Zeilenga wrote: A make.conf knob to use a userinstalled library may create problems with different versions of Cysus-SASL. I had some problems with that when uppgrading my mailservers to Sendmail 8.10. I'd recommend bringing Cyrus-SASL into the base system eventually under the same rational used to bring OpenSSL in. What are the license issues on this? Neil -- Neil Blakey-Milner Sunesi Clinical Systems [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sun, 13 Aug 2000, Kurt D. Zeilenga wrote: At 01:49 PM 8/13/00 +0200, Johan Granlund wrote: I think we have to support rfc2554 autenthication (With MECH LOGIN for Outlook) out of the box if we are serius about mailserver and security. If you're serious about security, you shouldn't support LOGIN (or PLAIN) unless adequate privacy protections are in place. If you're serious about standards, you won't support LOGIN. Tell that to Microsoft! They only support LOGIN and the users (god bless them) won't change to another client. Given that OpenSSL is in the base system, there is little reason not to support BOTH StartTLS and SASL "out of the box". I would suggest the authentication defaults be relative secure, as in "noplain,noanonymous". This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms. Works for me. I _have_ to keep OE5 working somehow until they start supporting a better mechanism, _Then_ i can ditch LOGIN. A make.conf knob to use a userinstalled library may create problems with different versions of Cysus-SASL. I had some problems with that when uppgrading my mailservers to Sendmail 8.10. I'd recommend bringing Cyrus-SASL into the base system eventually under the same rational used to bring OpenSSL in. I agree. /Johan Kurt To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
BTW, I love to see DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6')dnl Yes that together with "CFLAGS+=-DNETINET6" in the sendmail/Makefile and I have a working ipv6 mailer going. There is just an annoying message because of the anycast address: Aug 13 16:38:47 angel sendmail[11947]: gethostbyaddr(3ffe:2900:fffa:4::) failed: 1 Is that because of a configuration error or just because sendmail needs to check for anycast addresses? The machine is also a router between a gif tunnel and this interface. My interface is configured like this: angel# ifconfig de0 de0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 inet 146.64.84.9 netmask 0xff00 broadcast 146.64.84.255 inet6 fe80::200:e8ff:fe15:dbed%de0 prefixlen 64 scopeid 0x1 inet6 3ffe:2900:fffa:4:200:e8ff:fe15:dbed prefixlen 64 inet6 3ffe:2900:fffa:4:: prefixlen 64 anycast ether 00:00:e8:15:db:ed media: 10baseT/UTP status: active supported media: 100baseTX full-duplex 100baseTX 10base2/BNC 10baseT/UTP full-duplex 10baseT/UTP John -- John Hay -- [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sun, 13 Aug 2000 19:24:09 +0200 (SAT) John Hay [EMAIL PROTECTED] said: BTW, I love to see DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6')dnl jhay Yes that together with "CFLAGS+=-DNETINET6" in the sendmail/Makefile jhay and I have a working ipv6 mailer going. Yeh! I'm looking forward to see it. jhay There is just an annoying message because of the anycast jhay address: jhay Aug 13 16:38:47 angel sendmail[11947]: gethostbyaddr(3ffe:2900:fffa:4::) failed: 1 jhay Is that because of a configuration error or just because sendmail needs jhay to check for anycast addresses? The machine is also a router between a jhay gif tunnel and this interface. My interface is configured like this: jhay angel# ifconfig de0 jhay de0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 jhay inet 146.64.84.9 netmask 0xff00 broadcast 146.64.84.255 jhay inet6 fe80::200:e8ff:fe15:dbed%de0 prefixlen 64 scopeid 0x1 jhay inet6 3ffe:2900:fffa:4:200:e8ff:fe15:dbed prefixlen 64 jhay inet6 3ffe:2900:fffa:4:: prefixlen 64 anycast jhay ether 00:00:e8:15:db:ed jhay media: 10baseT/UTP status: active jhay supported media: 100baseTX full-duplex 100baseTX 10base2/BNC 10baseT/UTP full-duplex 10baseT/UTP I don't see any configuration problem here. As that machine is a router, anycast address has been assigned. (RFC2373) I simply registered PTR RRs of my anycast addresses into DNS. It may be good idea that sendmail checks for anycast address. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Sun 2000-08-13 (10:48), Kurt D. Zeilenga wrote: At 06:53 PM 8/13/00 +0200, Neil Blakey-Milner wrote: On Sun 2000-08-13 (09:20), Kurt D. Zeilenga wrote: A make.conf knob to use a userinstalled library may create problems with different versions of Cysus-SASL. I had some problems with that when uppgrading my mailservers to Sendmail 8.10. I'd recommend bringing Cyrus-SASL into the base system eventually under the same rational used to bring OpenSSL in. What are the license issues on this? None worse than those associated with OpenSSL. Ah, it seems to be a simplistic BSD-like license. For a second I thought it might be a non-commercial one, like cyrus-imapd has in some areas. OpenSSL is slightly more structured - Apache-like BSD license. So at least there won't be any insane license-wars over it. Neil -- Neil Blakey-Milner Sunesi Clinical Systems [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
ume Beacuse default confCW_FILE doesn't have -o option, freebsd.mc should ume have "define(`confCW_FILE', `-o /etc/mail/local-host-names)dnl" line. ume Unless this, /etc/mail/local-host-names will be mandatory. Good point. I've fixed this. ume BTW, I love to see ume DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')dnl ume DAEMON_OPTIONS(`Name=MTA-v6, Family=inet6')dnl ume lines. But, I know this requires IPv6 enabled kernel and to do this ume is difficult. NetBSD ships two version of sendmail.cf. Adding IPv6 support to the sendmail binary is high on my list of things to do. You are correct, configuration support is a more difficult issue. I'm open to suggestions. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
On Mon, 14 Aug 2000, Hajimu UMEMOTO wrote: On Sun, 13 Aug 2000 09:20:05 -0700 "Kurt D. Zeilenga" [EMAIL PROTECTED] said: Kurt At 01:49 PM 8/13/00 +0200, Johan Granlund wrote: I think we have to support rfc2554 autenthication (With MECH LOGIN for Outlook) out of the box if we are serius about mailserver and security. Kurt If you're serious about security, you shouldn't support LOGIN (or PLAIN) Kurt unless adequate privacy protections are in place. If you're serious Kurt about standards, you won't support LOGIN. I think so. Further worse, once PLAIN is activated by sendmail, netscape try to use AUTH, in anyway. If the user isn't registered in SASL db, the user cannot send mail anymore. That is, once you decide to use PLAIN, you must register all of your users in SASL db. I agree that PLAIN/LOGIN should not be enabled by default as it is inherently insecure and should not be encouraged. It can easyly be enabled in a custom .mc file, if wanted, with define(`confAUTH_MECHANISMS', `')dnl define(`confTRUST_AUTH_MECH', `')dnl The snag is that is has to be enabled in the build of the SASL library. The same with KerberosIV and GSSAPI depending of what is installed. N.B This is for 8.10. I havent looked if it has changed for 8.11. If autentication is enabled with SASL, support should be added to adduser/rmuser, or we will have a supportbomb when locally defined user cant send mail remotely. -- Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] http://www.imasy.org/~ume/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
hetzels Sendmail 8.11 has the ablity to due secure authentication with hetzels mail clients when compiled with Cyrus-SASL. hetzels Will the Cyrus-SASL library be imported to provide this hetzels capability? Or at least a make.conf variable. My first step in the process was to get sendmail up-to-date. Once it is MFC'ed to STABLE, I'll look at enhancements. After September 21, I want to turn on STARTTLS support. I'm not sure about importing SASL -- I might be convinced to put in Makefile support if it happens to already been installed via ports. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
From: "Gregory Neil Shapiro" [EMAIL PROTECTED] hetzels Sendmail 8.11 has the ablity to due secure authentication with hetzels mail clients when compiled with Cyrus-SASL. hetzels Will the Cyrus-SASL library be imported to provide this hetzels capability? Or at least a make.conf variable. My first step in the process was to get sendmail up-to-date. Once it is MFC'ed to STABLE, I'll look at enhancements. After September 21, I want to turn on STARTTLS support. I'm not sure about importing SASL -- I might be convinced to put in Makefile support if it happens to already been installed via ports. Makefile support for SASL would be fine. Thanks for bringing in 8.11. Scot To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: HEADS UP: sendmail updated from 8.9.3 to 8.11.0 in -current
At 04:02 PM 8/12/2000 -0700, you wrote: hetzels Sendmail 8.11 has the ablity to due secure authentication with hetzels mail clients when compiled with Cyrus-SASL. hetzels Will the Cyrus-SASL library be imported to provide this hetzels capability? Or at least a make.conf variable. My first step in the process was to get sendmail up-to-date. Once it is MFC'ed to STABLE, I'll look at enhancements. After September 21, I want to turn on STARTTLS support. I'm not sure about importing SASL -- I might be convinced to put in Makefile support if it happens to already been installed via ports. I'll admit that I'm something of a clueless idiot when it comes to something like STARTTLS, but looking at the stuff on sendmails page about it, I don't really see a listing of clients that it can work with. One advantage of the SASL stuff is that a fair number of clients seem to support the thing, including several for windows (yeah, I know, the evil term, but some of us actually have people that use windows clients to do their mail). Now, maybe I just don't know what magic STARTTLS offers me, and I'd convert if I knew better. Gary Schrock To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message