On 26.07.24 06:26, Ziqin Wang wrote:
On 2024/7/26 at 05:54, Christian Schulte wrote:
Just one example. There had been plenty of issues with Thunderbird,
Outlook and whatever MUA misbehaving, downgrading to plaintext
passwords without anyone noticing. I did not follow those issues over
time. If I remember correctly, enabling PLAIN and LOGIN made most of
those auto account setup dialogs "enter your email address and
password and I will setup everything automatically for you" features
setup things in the most insecure ways possible. That's the reason
only CRAM-MD5 and DIGEST-MD5 were allowed. I remember, there was in
issue with PLAIN and clients sending AUTH PLAIN
base64(username:password) on one line before the MSA could reject by
telling them to use STARTTLS before. OpenSMTPD does not send anything
like that. I am a bit confused if I better not offer PLAIN and only
LOGIN. There is not much you can do about MUAs behaving in those ways
which is perfectly valid according to the RFCs. Veryfied the setup
with telnet and sendmail does not offer AUTH until STARTTLS has been
called and refuses to accept anything without authentication. That's
pretty much what I needed it to do.
In OpenSMTPD smtpd.conf, you can use "tls-require" on SMTP submission
port to force STARTTLS before offering AUTH.
With this setup, the Telnet log looks like:
220 mail.example.net ESMTP OpenSMTPD
EHLO client.example.com
250-mail.example.net Hello client.example.com [*], pleased to meet you
250-8BITMIME
250-ENHANCEDSTATUSCODES
250-SIZE 36700160
250-DSN
250-STARTTLS
250 HELP
AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ=
503 5.5.1 Invalid command: Command not supported
QUIT
221 2.0.0 Bye
Is this what you want, Christian?
No no. I was talking about sendmail behaviour from ancient times, right
after AUTH and STARTTLS had been implemented. There is no 250-AUTH
advertised, so a MUA sending an AUTH command in such a situation would
be broken. If there would have been 250-AUTH in the EHLO response, the
client would have behaved correctly. If the server responds with an
error requesting the client to first issue STARTTLS, the clear text
password would already have been send over the net. Let's not talk about
issue solved decades ago. Everything is fine.
Regards,
--
Christian
