Recipe 7.7 Avoiding Double Encryption

Problem

You have a system that is configured for both external encryption and SASL security. On those occasions when strong external encryption is in use, you want to avoid using AUTH encryption.

Solution

Create a sendmail configuration that sets the maximum amount of encryption with the confAUTH_MAX_BITS define. Set the maximum number of encryption bits to a value less than the number of bits used by the external encryption; for example, setting this define to 128 turns off AUTH encryption when the transport layer is already encrypted with TLS. The following lines added to the sendmail configuration turns off AUTH encryption when other encryption is used:

 dnl Disable double encryption define(`confAUTH_MAX_BITS', `128')

Build and install sendmail.cf , and then restart sendmail, as shown in Recipe 1.8.

Discussion

This recipe assumes that AUTH is configured as described in Recipes Recipe 7.1 and Recipe 7.2 and that STARTTLS is configured as described in Chapter 8.

The confAUTH_MAX_BITS define creates the AuthMaxBits option in the sendmail.cf file and assigns a value to that option. For example:

 O AuthMaxBits=128

This option tells sendmail that SASL encryption added to any existing encryption should not exceed 128-bits of encryption. Since any existing external encryption will provide at least 128-bits of encryption, this option turns off SASL encryption when the link is already encrypted.

Chapter 8 describes how TLS is used to encrypt the mail transport. When the link is encrypted by an external mechanism, such as TLS, there is no need to add a second layer of encryption with SASL. It is also possible to specify EXTERNAL on the list of advertised authentication techniques using the confAUTH_MECHANISMS define. Doing this avoids adding a second layer of unneeded authentication to a link that has been authenticated by an external protocol, such as TLS.

Recipe 7.7 Avoiding Double Encryption

Problem

Solution

Discussion

See Also