Roman V Isaev <[EMAIL PROTECTED]> writes:
> On 03/02, Russ Allbery wrote:
>> We did, for IMAP and POP. Was easier to write a proxy that spoke
>> Kerberos than it was to try to get vendors to support Kerberos. SMTP
>> is even simpler than those. (*Much* simpler than IMAP, which is a
>> royal pain of a protocol to write software for.)
> Is your proxy in public domain, GPL or whatever? :-)
Good question. Answer is, I don't know. I'll try to find that out. It
was a project that various people here were working on in conjuction with
other projects, one of which I think we're not releasing for export
reasons and such not, and the other of which was in cooperation with a
particular vendor. So the licensing is probably confused. The part I
personally did was a proof of concept server-side proxy implementation
(see below) that were I to turn into an actual release I'd probably clean
up and rework a good bit anyway.
> RFC2222 was written in 1997, and now 1999. We still do not have common
> SMTP authentication. Yes, everything above CAN be done, but it's too
> complicated for an average programmer, and there are a lot of assinine
> problems with strong encryption like U.S. export troubles, prohibited
> strong cryptography in Russia, etc, etc. What we really need is:
SASL's actually pretty straightforward. I wrote an IMAP Kerberos 4 proxy
that uses SASL in about two days from blank screen to fully debugged and
working (if not maximally feature-full or robust) code, and most of that
time was spent fighting with the IMAP protocol, not with the SASL pieces.
> 1. Simple SASL implementation in public domain, available to everyone
> without any restriction (quite probably it was done alredy),
I rolled my own, but I wouldn't recommend that anyone else does this.
Best starting point is probably heading to
<URL:ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/>
and grabbing the latest version of cyrus-sasl.
> 2. Easy to use proxy for end-users, speakin this particular SASL, and
This part is the part that takes some time, since they need dialog boxes
to put their password, auth credentials, and what have you in somewhere.
And if they're using Kerberos, some way of interacting with whatever else
on the system is obtaining Kerberos credentials.
> 3. Someone who will patch every popular MTA and bugger MTA authors to
> include these in the standard distribution.
You don't need to do that, actually. Proxy both ends. Run a daemon on
the Unix side that speaks SASL to a client and runs on a different port.
You don't have to run the thing on port 25, since you control the client
end as well with the client proxy. The server proxy and the client proxy
speak authentication to each other and then turn into passthroughs for the
pieces that want to talk SMTP on both ends.
This is what I did to Kerberize an IMAP server that I couldn't munge
directly. And that way on the SMTP end all that remains is to allow
unlimited relaying from localhost, since the proxied incoming connection
will appear to be from there.
The Unix-side server proxy is seriously only a day or two of work, if
someone just sits down and writes it straight through. Maybe less, with
the SASL library from Cyrus.
The PC/Mac client end is harder, since you have to actually worry about a
user interface and whatnot. But it's still pretty straightforward.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
