Proposal to move Sendmail encryption info to Electronic Mail chapter

Mike Brown mike at skew.org
Sat Nov 23 12:25:33 UTC 2013 

In the Security chapter, the section 14.8.2 (OpenSSL - Using Certificates) 
currently just gives one example: using certificates to enable the "STARTTLS" 
SMTP command in Sendmail, for the purpose of establishing an encrypted 
connection that hides cleartext passwords sent during authentication (which 
occurs via the "AUTH" command, if the PLAIN or LOGIN methods are used).

This text in 14.8.2 fails to mention the crucial prerequisite that to enable 
STARTTLS, regardless of whether it's for AUTH, Sendmail must be built with 
SASL support. Rebuilding Sendmail with SASL support in order to enable AUTH is 
discussed in the Electronic Mail chapter, section 27.9.

Given that Sendmail must be rebuilt with SASL support for both AUTH and 
STARTTLS, I feel that it would be ideal to combine the two sections by moving 
the Sendmail configuration info out of 14.8.2 and into 27.9.

This combined "SMTP Authentication and Encryption" section can begin by 
explaining that FreeBSD's stock Sendmail is not built with SASL support, which 
is needed for both authentication and encryption. It can then explain that in 
order to get SASL support, either:

* Install the mail/sendmail-sasl port (which then requires editing 
/etc/mail/mailer.conf and /etc/make.conf to fully replace the system's 
sendmail)

or

* If you have system source code in /usr/src, [insert steps 1, 4 & 5 from the 
current section on SMTP Authentication]. This will install the 
security/cyrus-sasl2 port, modify /etc/make.conf, and rebuild Sendmail.

Then we can have a subsection on enabling SMTP Authentication (as covered by 
steps 2, 3, 6 & 7 in the current text), and we can have a subsection on 
enabling STARTTLS (using what's currently in section 14.8.2). This 
latter section would link back to 14.8.1 for an overview of certificate 
generation.

If we proceed, then 14.8.2 will not have much left in it. It can either be 
removed, or (my preference) it can begin as it does, but link to section 27.9 
for details. It could also mention another example use for certificates: 
enabling HTTPS in Apache HTTPD with mod_ssl or mod_gnutls...not that such 
content has yet been written.


So, does this proposal sound reasonable?

More information about the freebsd-doc mailing list