[Bug 490044] Re: Implement SMTP AUTH in Mailman 3

Patrick Ben Koetter p at state-of-mind.de
Mon Jan 3 22:13:13 CET 2011

* Barry Warsaw <490044 at bugs.launchpad.net>:
> In all honesty, I don't know the details.  Looking at the smtplib code
> in Python 2.6 though, it essentially delegates everything to the socket
> layer.  If the pem/cert files are given, it wraps the socket in an ssl
> socket, though it only provides a subset of the options available to
> ssl.wrap_socket().  That's the extent of smtplib's support AFAICT.

Erhm, misunderstanding? I wasn't talking about STARTTLS, but the possibility
to control which SMTP AUTH mechnanism will be used.

I took a look at the library and it seems like the library tries to do "the
right thing":

    # List of authentication methods we support: from preferred to
    # less preferred methods. Except for the purpose of testing the weaker
    # ones, we prefer stronger methods like CRAM-MD5:
    preferred_auths = [AUTH_CRAM_MD5, AUTH_PLAIN, AUTH_LOGIN]

CRAM-MD5 is fine, because the identity sent for authentication goes encrypted
over the network. Not so PLAIN or LOGIN. They will only encoded (base64) over
the Net.

We should at least mention in the docs that if MM3 send authentication data
over an unsecured network the submission server on the other end should
support CRAM-MD5. If it does, smtplib will do the right (read: secure) thing.

p at rick

> Mailman won't support anything the underlying smtplib module doesn't
> support, so if changes need to happen there, it's best to do that in the
> context of Python development (though even there, likely nothing will
> change until Python 3.3 which is a long way off).
> -- 
> You received this bug notification because you are a direct subscriber
> of the bug.
> https://bugs.launchpad.net/bugs/490044
> Title:
>   Implement SMTP AUTH in Mailman 3
> Status in GNU Mailman:
>   Fix Committed
> Bug description:
>   Mailman 3 should support sending messages over submission port (587). The Submission RFC (4409, "Message Submission for Mail", http://www.rfc-editor.org/rfc/rfc4409.txt) requires SMTP AUTH, when messages are introduced on submission port.
> Currently Mailman does not implement any SMTP AUTH functionality. It looks like Python's smtplib supports PLAIN, LOGIN, and CRAM-MD5. That would be sufficient. Additionally STARTTLS should be implemented to protect credentials when they are sent using either PLAIN or LOGIN.
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/mailman/+bug/490044/+subscribe

state of mind
Digitale Kommunikation


Franziskanerstraße 15      Telefon +49 89 3090 4664
81669 München              Telefax +49 89 3090 4666

Amtsgericht München        Partnerschaftsregister PR 563

You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.

  Implement SMTP AUTH in Mailman 3

More information about the Mailman-coders mailing list