Sendmail Error at Boot
Frank Leonhardt
frank2 at fjl.co.uk
Mon Jan 27 12:11:22 UTC 2014
On 27/01/2014 07:40, Robert Simmons wrote:
> On Mon, Jan 27, 2014 at 2:28 AM, Matthew Seaman <matthew at freebsd.org> wrote:
>> On 27/01/2014 03:19, Robert Simmons wrote:
>>> Why is this not part of the install?
>> Sendmail in base doesn't come configured to use TLS by default, although
>> the appropriate capabilities are compiled in to the binaries.
>>
>> I've no idea why enabling TLS isn't the default -- seems like a
>> no-brainer in this day and age. It would require generating a key and
>> (self-signed) cert on first startup after installation, much like the
>> way SSH keys are generated, but so long as the problems with startup
>> entropy availability have been satisfactorily sorted out (which I
>> believe they have) I can't see any huge problem with that.
> Thanks for the explanation. I agree with the no-brainer. Last week the
> keynote at ShmooCon was Ian Golberg, and one of the main points of his
> talk was that nothing should ever be sent over a network in plaintext
> from now on. And there should not be a choice of two protocol
> versions, one encrypted and one plaintext, because a non-zero number
> of users will choose plaintext.
>
It's not as simple as that as quite a lot of application software uses
the unencrypted ports and it has no way of knowing whether it's talking
on a secure unencrypted line (i.e. local copper or VPN).
I haven't played with the latest release sendmail, but if SSL and SASL
are easier to turn on, that's a great start.
I don't think anyone with a brain has been sending unencrypted email
across the Internet, except possibly iPhone users, for whom installing a
self-signed certificate seems to be impossible (if anyone knows a method
that's simple enough for a fanboi to understand, please tell me!)
More information about the freebsd-questions
mailing list