[unisog] sendmail TLS

William J. Sproule sproule at Princeton.EDU
Sat Apr 6 00:56:52 GMT 2002


Princeton deployed campus wide client smtp auth last week. It was a busy day
for the help desk; most calls were users who did not read the several
notifications that were sent out and needed to be walked through client
configuration.  We are not doing MTA->MTA auth.  We require the client to
STARTTLS before auth and support auth PLAIN and LOGIN.  Our client base is
Outlook, Netscape, Eudora, Entourage, and pine.

We did set up a restricted server for users and services that could not
authenticate.

I'd be happy to help out those who need it.  Our config is sendmail 8.12.2,
openssl, sasl, and use PAM modules for auth against LDAP.

-b

sproule at Princeton.EDU

-----Original Message-----
From: Dawn Whiteside [mailto:dwhitesi at ist.uwaterloo.ca]
Sent: Friday, April 05, 2002 11:28 AM
To: unisog at sans.org
Subject: Re: [unisog] sendmail TLS


Joseph Brennan posted an excellent summary of issues related to
sendmail TLS/AUTH.  I would only like to add that some mail clients
(notably Eudora) may have problems sending mail when you install a
STARTTLS-enabled mailer *if* you are using an SSL certificate that
doesn't come from Verisign or another well-known commercial CA.

Bruce Campbell of our Engineering Computing department documented the
problem and the steps users need to take to get Eudora working with TLS
at http://www.laptop.uwaterloo.ca/help/config_security.html#eudora.

--
Dawn Whiteside, Information Systems and Technology
University of Waterloo, Waterloo ON, Canada



More information about the unisog mailing list