Hi Ed,
thanks for raising, this is just on time for us. I'd like to describe
what both cover and not cover and I would expect from a minimal MTA.
I am on 12-STABLE/12.3-RELEASE.
We solely use sendmail with relay via sendmail invocation or SMTP on
localhost:25. Minimal configuration for scripts and applications running
on hosts and jails.
Our current corporate messaging service is being phased out for a new
one which requires authentication via LOGIN or PLAIN and mandatory
STARTTLS, previous was anonymous and unencrypted.
Sendmail: The biggest problem is that authentication strictly requires
Cyrus SASL, even for stupid ones like PLAIN/LOGIN, accourding to the
handbook you must recompile sendmail from base with Cyrus SASL from
ports to make this possible. A showstopper actually, for two reasons:
1. I don't like mixing base and ports, it just creates a messy system.
2. While this may work with hosts, when you have jails running off a
RELEASE in Bastille this obviously will not work.
Not going to work with sendmail easily.
DMA: Disclaimer: I haven't tried, but read documentation and source
code. Although it supports TLS, I don't see any of these [1], I fail to
see how it verifies the peer. I have never seen something to provide the
server's fingerprint to verification. It very much feels like an
SSH-like approach. It does not listen, as documented, on localhost, so
applications supporting SMTP only will need extra configuration to reach
out to the relay host directly. Central config at MTA side not possible
anymore. Although, I don't need certificate-based authentication against
the relay and DMA supports it, it does not support of using a passphrase
for the certificate key file like HTTPd supports through mod_ssl. Should
be a no-brainer these days.
Requirements for a simplistic MTA with a relay host:
* Support TLS or STARTTLS through OpenSSL in base
* Verify server's certificate chain against default certstore
(/etc/ssl/certs) and log success/failure, e.g, sendmail does this after
config
* Properly rewrite FROM for local users user@localhost or even <> when
delivered with sendmail executable
* Accept messages on localhost:25 or a configurable loopback address in
general (e.g., multihomed with cloned interface and jails) for those
applications which only support SMTP (e.g., Java Mail or other
programming libraries)
The issues with certificates and OpenSSL in the base system I have
already extensively dicussed with kevans@ [2].
I hope this can be put into consideration.
Regards,
Michael
[1]
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html
[2] https://reviews.freebsd.org/D31487#710650
