[Bug 490044] Re: Implement SMTP AUTH in Mailman 3

Patrick Ben Koetter p at state-of-mind.de
Mon Jan 3 22:16:23 CET 2011

Erhm, misunderstanding? I wasn't talking about STARTTLS, but the
possibility to control which SMTP AUTH mechnanism will be used.

I took a look at the library and it seems like the library tries to do
"the right thing":

    # List of authentication methods we support: from preferred to
    # less preferred methods. Except for the purpose of testing the weaker
    # ones, we prefer stronger methods like CRAM-MD5:
    preferred_auths = [AUTH_CRAM_MD5, AUTH_PLAIN, AUTH_LOGIN]

CRAM-MD5 is fine, because the identity sent for authentication goes encrypted over the network. Not so PLAIN or LOGIN. They will only encoded (base64) over the Net.

We should at least mention in the docs that if MM3 sends authentication
data over an unsecured network the submission server on the other end
SHOULD support CRAM-MD5 or SMTP AUTH MAY be eavesdropped. However if it
uses CRAM-MD5, smtplib will do the right (read: secure) thing.

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Implement SMTP AUTH in Mailman 3

More information about the Mailman-coders mailing list