Kjetil Kjernsmo wrote: > So, what I actually want is just to encrypt the password. The email will > go unencrypted over the rest of the network anyway (unless I > PGP-encrypt it), so SSL seems like an unnecessary hassle and overhead > that I'd like to avoid. LOGIN and PLAIN are both freetext, right?
Yes, both LOGIN and PLAIN a plaintext (or trivially encoded). However, SSL/TLS is neither very much hassle, not is is a significant amount of overhead on modern machines. It is also really the only way to secure login via SMTP; the protocol's design limits other authentication methods. You can still use a CRAM-MD5 password on disk as you originally wanted. Here's how easy it is to create an SSL/TLS configuration for qpsmtpd: 1) cd into the qpsmtpd directory 2) type ./plugins/tls_cert (or see below for options you can pass) 3) Add "tls" to config/plugins (near the top) 4) Change your startup script to also bind to port 465 (e.g. with forkserver add --port 465) 5) Tell your users to switch to the SSL port or enable TLS in their mail client; they will have to mark the certificate as trusted the first time they connect. That's it. Clients connecting to port 25 will see "250 STARTTLS" and can upgrade to TLS; client connecting to port 465 will start out in TLS mode. All communications during the SMTP transaction (including the AUTH negotiation) are encrypted by the SSL certificate you created above. If you wanted to pay someone to sign your server cert (for example if your users are too timid to flag your self-signed cert as trusted), you can take the file ssl/qpsmtpd-server.csr and have it signed by a public trusted CA. However, IMNSHO, this is a complete waste of money. In this case, the SSL certificate is not being used for client/server authentication (like in the https case), but merely for encryption of the transaction. John --- # plugins/tls_cert --help plugins/tls_cert will generate a TLS certificate "the quick way", i.e. without interaction. You can change some defaults however. These options are recognized: Default: --C Country (two letters, e.g. DE) XY --ST State (spelled out) unknown --L City unknown --O Organization QSMTPD --OU Organizational Unit Server --CN Common name havurah.adat-shalom.bethesda.md.us --email Email address of postmaster postmas...@cn --help Show usage
