GNU Mailman

Bug #490044
Comment #7

Comment 7 for bug 490044

Revision history for this message

Patrick Ben Koetter (p-state-of-mind) wrote on 2011-01-03: Re: [Bug 490044] Re: Implement SMTP AUTH in Mailman 3

* Barry Warsaw <email address hidden>:
> In all honesty, I don't know the details. Looking at the smtplib code
> in Python 2.6 though, it essentially delegates everything to the socket
> layer. If the pem/cert files are given, it wraps the socket in an ssl
> socket, though it only provides a subset of the options available to
> ssl.wrap_socket(). That's the extent of smtplib's support AFAICT.

Erhm, misunderstanding? I wasn't talking about STARTTLS, but the possibility
to control which SMTP AUTH mechnanism will be used.

I took a look at the library and it seems like the library tries to do "the
right thing":

    # List of authentication methods we support: from preferred to
    # less preferred methods. Except for the purpose of testing the weaker
    # ones, we prefer stronger methods like CRAM-MD5:
    preferred_auths = [AUTH_CRAM_MD5, AUTH_PLAIN, AUTH_LOGIN]

CRAM-MD5 is fine, because the identity sent for authentication goes encrypted
over the network. Not so PLAIN or LOGIN. They will only encoded (base64) over
the Net.

We should at least mention in the docs that if MM3 send authentication data
over an unsecured network the submission server on the other end should
support CRAM-MD5. If it does, smtplib will do the right (read: secure) thing.

p@rick

>
> Mailman won't support anything the underlying smtplib module doesn't
> support, so if changes need to happen there, it's best to do that in the
> context of Python development (though even there, likely nothing will
> change until Python 3.3 which is a long way off).
>
> --
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/490044
>
> Title:
> Implement SMTP AUTH in Mailman 3
>
> Status in GNU Mailman:
> Fix Committed
>
> Bug description:
> Mailman 3 should support sending messages over submission port (587). The Submission RFC (4409, "Message Submission for Mail", http://www.rfc-editor.org/rfc/rfc4409.txt) requires SMTP AUTH, when messages are introduced on submission port.
>
> Currently Mailman does not implement any SMTP AUTH functionality. It looks like Python's smtplib supports PLAIN, LOGIN, and CRAM-MD5. That would be sufficient. Additionally STARTTLS should be implemented to protect credentials when they are sent using either PLAIN or LOGIN.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/mailman/+bug/490044/+subscribe

--
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15 Telefon +49 89 3090 4664
81669 München Telefax +49 89 3090 4666

Amtsgericht München Partnerschaftsregister PR 563

* Barry Warsaw <490044@bugs.launchpad.net>:
> In all honesty, I don't know the details.  Looking at the smtplib code
> in Python 2.6 though, it essentially delegates everything to the socket
> layer.  If the pem/cert files are given, it wraps the socket in an ssl
> socket, though it only provides a subset of the options available to
> ssl.wrap_socket().  That's the extent of smtplib's support AFAICT.

Erhm, misunderstanding? I wasn't talking about STARTTLS, but the possibility
to control which SMTP AUTH mechnanism will be used.

I took a look at the library and it seems like the library tries to do "the
right thing":

CRAM-MD5 is fine, because the identity sent for authentication goes encrypted
over the network. Not so PLAIN or LOGIN. They will only encoded (base64) over
the Net.

p@rick

> 
> Mailman won't support anything the underlying smtplib module doesn't
> support, so if changes need to happen there, it's best to do that in the
> context of Python development (though even there, likely nothing will
> change until Python 3.3 which is a long way off).
> 
> -- 
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/490044
> 
> Title:
>   Implement SMTP AUTH in Mailman 3
> 
> Status in GNU Mailman:
>   Fix Committed
> 
> Bug description:
>   Mailman 3 should support sending messages over submission port (587). The Submission RFC (4409, "Message Submission for Mail", http://www.rfc-editor.org/rfc/rfc4409.txt) requires SMTP AUTH, when messages are introduced on submission port.
> 
> Currently Mailman does not implement any SMTP AUTH functionality. It looks like Python's smtplib supports PLAIN, LOGIN, and CRAM-MD5. That would be sufficient. Additionally STARTTLS should be implemented to protect credentials when they are sent using either PLAIN or LOGIN.
> 
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/mailman/+bug/490044/+subscribe

-- 
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666

Amtsgericht München        Partnerschaftsregister PR 563