Berkeley CSUA MOTD:Entry 27820
Berkeley CSUA MOTD
 
WIKI | FAQ | Tech FAQ
http://csua.com/feed/
2025/07/08 [General] UID:1000 Activity:popular
7/8     

2003/3/24 [Computer/SW/Mail] UID:27820 Activity:moderate
3/23    I configured sendmail 8.12.8 to use STARTTLS and SMTP AUTH.  For mail
        clients that only use LOGIN and PLAIN (like Outlook Express) is the
        password still encrypted?  STARTTLS encrypts the transmission before
        the password is sent, right?
        \_ yeah ask the peep here, they can't even get SSL over POP working
           right
        \_ According to RFC 2487, there is no guarantee that mail will be
           processed in this way (see 5.1). In the case of sendmail you can
           force it to require clients to use a TLS encrypted session via
           TLS_Clt. For more info see:
           http://www.sendmail.org/~ca/email/starttls.html
           \_ Cool, thanks.
ERROR, url_link recursive (eces.Colorado.EDU/secure/mindterm2) 2025/07/08 [General] UID:1000 Activity:popular
7/8     

You may also be interested in these entries...
2013/4/9-5/18 [Computer/SW/Mail, Academia/Berkeley/CSUA] UID:54647 Activity:nil
4/8     What's a good free e-mail provider? I don't want to use Gmail,
        Yahoo, Outlook, or any of those sites with features I never use that
        track my personal info and keep changing their interface. I want just
        simple e-mail without privacy issues or all the baggage these large,
        for-profit companies are adding. I might even be willing to pay.
        Recommendations?
	...
2012/10/15-12/4 [Computer/SW/Mail] UID:54501 Activity:nil
10/15   What's the soda email client these days?
        \_ Don't know.  /usr/bin/mail hasn't been working for a while.
        \_ forward to Gmail.
        \_ mutt works for me
	...
2012/8/29-11/7 [Computer/SW/Security] UID:54467 Activity:nil
8/29    There was once a CSUA web page which runs an SSH client for logging
        on to soda.  Does that page still exist?  Can someone remind me of the
        URL please?  Thx.
        \_ what do you mean? instruction on how to ssh into soda?
           \_ No I think he means the ssh applet, which, iirc, was an applet
              that implemented an ssh v1 client.  I think this page went away
	...
2011/11/14-30 [Computer/SW/Security] UID:54228 Activity:nil
11/14   Social Engineering call centers:
        http://www.itbusiness.ca/it/client/en/home/News.asp?id=64887
	...
2011/2/14-4/20 [Computer/SW/Unix] UID:54039 Activity:nil
2/14    You sure soda isn't running windows in disguise?  It would explain the
        uptimes.
        \_ hardly, My winbox stays up longer.
        \_ Nobody cares about uptime anymore brother, that's what web2.0 has
           taught us.  Everything is "stateless".
           \_ You;d think gamers would care more about uptime.
	...
2011/4/6-20 [Computer/SW/Mail, Computer/SW/Unix, Industry/Startup] UID:54078 Activity:nil
4/6     My company is evaluating version control systems. Our two candidates
        are Perforce and Subversion. Anyone worked with both and have good
        arguments one way or the other? (These are the only two options we
        have.) We're most interested in client performance, ease of use, and
        reasonable branching.
        \_ I'll be 'that guy'. If perforce and subversion are optins, why isn't
	...
2011/2/6-19 [Computer/Networking] UID:54028 Activity:nil
2/5     hmm.
$netstat -at | grep LISTEN
tcp        0      0 *:43300                 *:*                     LISTEN
        \_ this is an sshd
tcp        0      0 *:49416                 *:*                     LISTEN
tcp        0      0 *:36201                 *:*                     LISTEN
	...
Cache (6335 bytes)
www.sendmail.org/~ca/email/starttls.html
This document describes the necessary steps to use this feature. Terminology TLS can provide 14 authentication (identification of the communication partner), privacy/confidentiality (communication is not intercepted or eavesdropped), and integrity (message has not been modified). TLS uses different 15 algorithms for encryption, signing, message authentication etc. An 16 introduction to these can also be found in 17 books about cryptography and in 18 RFC 2246 and its list of references. Some important terms used here are: * CA: certificate authority, * cert: a certificate (signed/issued by a CA), * private key: the private key belonging to a cert. For those familiar with public key encryption (and signing), a cert can be considered a signed public key (with associated data to identify an entity). Notice: do not list too many root CAs in that file, otherwise the TLS handshake may fail; The signature of the certificate presented by the other side is checked against these CAs. If one of them issued the certificate, the authentication is considered 20 successful. Moreover, during the TLS handshake, the 21 DNs of these CA certificates are sent to the client so it can properly select a certificate that is signed by one of those CAs. Get a cert (make sure the 22 CN is the fully qualified name of your host) and install it as confSERVER_CERT and the private key as confSERVER_KEY (make sure the file is only readable by root or the trusted user). For simplicity, use the same filenames for confCLIENT_CERT and confCLIENT_KEY, respectively. Otherwise someone/something would have to enter the passphrase each time sendmail is started as server or client. If neither /dev/urandom nor 27 EGD are available, you have to make sure that useful random data is available all the time in confRAND_FILE (use file:' as prefix). If the file hasn't been modified in the last 10 minutes before it is supposed to be used by sendmail the content is considered obsolete. In this case, the PRNG for TLS is only seeded with other random data if the DontBlameSendmail option InsufficientEntropy is set. You can create your own CA: 28 Lutz Jnicke, 29 Gregory Neil Shapiro, and 30 Martin Ouwehand (for Apache, but most of the steps can be used for an MTA too) wrote explanations how to do it. If this doesn't reveal any problems, increase the LogLevel to 14 and try again. Operation STARTTLS can be used to 33 allow relaying based on certificates, and to 34 restrict incoming or outgoing connections. For this purpose, several rulesets are available which require some 35 new macros and the 36 access map. New Macros New macros for SMTP STARTTLS are {cert_issuer} holds the 37 DN of the CA (the cert issuer). PROTOCOL protocol error occurred SOFTWARE problems during the handshake at the TLS level. Relaying SMTP STARTTLS can allow relaying for senders who have successfully authenticated themselves. Otherwise the 40 DN of the issuer is looked up in the 41 access map using the tag CERTISSUER. If it is SUBJECT, the 42 DN of the CERT subject is looked up next in the 43 access map. To make things a bit more flexible (or complicated), the values for {cert_issuer} and {cert_subject} can be optionally modified by regular expressions defined in the m4 variables _CERT_REGEX_ISSUER_ and _CERT_REGEX_SUBJECT_, respectively. To avoid problems with those macros in rulesets and map lookups, they are modified as follows: each non-printable character and the characters '<', '>', '(', ')', '"', '+' are replaced by their HEX value with a leading '+'. The parameter is the value of {verify} and STARTTLS or MAIL, respectively. If no 44 access map is in use, the connection will be accepted unless {verify} is SOFTWARE, in which case the connection is always aborted. Otherwise, {client_name}/{server_name} is looked up in the 45 access map using the tag TLS_Srv (or TLS_Clt), which is done with the ruleset LookUpDomain. If no entry is found, {client_addr}/{server_addr} is looked up in the 46 access map (same tag, ruleset LookUpAddr). If this doesn't result in an entry either, just the tag is looked up in the 47 access map (included the trailing :). Values for those entries in the 48 access map should be: VERIFY verification must have succeeded VERIFY:bits verification must have succeeded and 49 {cipher_bits} must be greater than or equal bits. ENCR:bits 50 {cipher_bits} must be greater than or equal bits. The RHS can optionally be prefixed by TEMP+ or PERM+ to select a temporary or permanent error. The number of bits used for the key of the symmetric cipher (here: 3DES) is stored in the macro {auth_ssf}. Received: Header The Received: header reveals whether STARTTLS has been used. Advantages and Limits of TLS STARTTLS has the following advantages: * authentication: client and server of a SMTP connection can be identified. All of these advantages are provided transparently by MTAs without interaction of users. They do not need to have special software installed in their MUAs which additionally must be compatible with the software of the recipient. This is also the reason for several limits: * It does not provide end-to-end encryption, since a user can usually not control the whole transmission. This is in contrast to the use of TLS for http: here the user's client (a WWW browser) connects directly to the server that provides the data. Even then the message might be faked during local delivery. Summary: to get end-to-end privacy, integrity and authentication, end-user software like 65 PGP or 66 S/MIME must be used. This requires at least some knowledge of 67 such software and responsible use by end-users. This MTA seems to understand only SSLv3, but not TLSv1 or the default mode that 76 OpenSSL uses. Please don't use RSARef since there are 79 fully functional RSA implementations available. This is what sendmail (using OpenSSL) does when it acts > as client and no client cert is available. The fix will also be included in the next Windows 2000 service pack after SP2 and is already in Windows Xp 2002 beta. STARTTLS Debugging by Hand A 83 patch has been posted to the 84 OpenSSL mailing list which contains a program similar to s_client to connect to MTAs for testing STARTTLS. Credits The implementation of STARTTLS in sendmail was influenced by the example programs of 85 OpenSSL and the work of 86 Lutz Jnicke.