On 2024/7/26 at 05:54, Christian Schulte wrote:
Just one example. There had been plenty of issues with Thunderbird, Outlook and whatever MUA misbehaving, downgrading to plaintext passwords without anyone noticing. I did not follow those issues over time. If I remember correctly, enabling PLAIN and LOGIN made most of those auto account setup dialogs "enter your email address and password and I will setup everything automatically for you" features setup things in the most insecure ways possible. That's the reason only CRAM-MD5 and DIGEST-MD5 were allowed. I remember, there was in issue with PLAIN and clients sending AUTH PLAIN base64(username:password) on one line before the MSA could reject by telling them to use STARTTLS before. OpenSMTPD does not send anything like that. I am a bit confused if I better not offer PLAIN and only LOGIN. There is not much you can do about MUAs behaving in those ways which is perfectly valid according to the RFCs. Veryfied the setup with telnet and sendmail does not offer AUTH until STARTTLS has been called and refuses to accept anything without authentication. That's pretty much what I needed it to do.
In OpenSMTPD smtpd.conf, you can use "tls-require" on SMTP submission port to force STARTTLS before offering AUTH.
With this setup, the Telnet log looks like: 220 mail.example.net ESMTP OpenSMTPD EHLO client.example.com 250-mail.example.net Hello client.example.com [*], pleased to meet you 250-8BITMIME 250-ENHANCEDSTATUSCODES 250-SIZE 36700160 250-DSN 250-STARTTLS 250 HELP AUTH PLAIN dGVzdAB0ZXN0ADEyMzQ= 503 5.5.1 Invalid command: Command not supported QUIT 221 2.0.0 Bye Is this what you want, Christian? -- Ziqin A ship in harbor is safe, but that is not what ships are built for.
