1# README.SASL - Readme about SASL support in nmh 2# 3 4SASL is short for the Simple Authentication and Security Layer. Is is 5a framework for adding authentication and encryption to network protocols. 6It is described in IETF RFC 2222. 7 8This release of nmh supports SASL for POP and SMTP. The SASL support 9is implemented using the Cyrus-SASL library. This library can be found 10at ftp://ftp.andrew.cmu.edu/pub/cyrus-mail. Obviously, SASL support only 11works if you use --enable-pop and the SMTP mail transport. 12 13This release of NMH only supports "Version 2" of the Cyrus SASL library. 14It should work with any newer Cyrus SASL release, but it was tested with 15Cyrus SASL 2.1.22. In particular, the CRAM-MD5 and GSSAPI (Kerberos 5) 16mechanisms were tested. Older versions of Cyrus-SASL had a bug which 17could manifest when negotiating encrypting depending on the encryption 18type you used, so a newer version of Cyrus-SASL is recommended. 19 20Currently, security layers ("encryption" in SASL-speak) are supported 21for both POP and SMTP. This means that if your POP or SMTP server 22_and_ the selected SASL mechanism supports it, client-server 23communications will be encrypted. In theory this should work with 24any SASL mechanism that supports security layers; it has only been 25tested with the GSSAPI mechanism. 26 27If you are curious as to whether or not your communications are actually 28encrypted or not, you can use the -snoop flag to the POP or SMTP utilities. 29Communication that is encrypted is preceded by an (encrypted) or 30(decrypted), depending on the direction of communication. 31 32If you would like to use the GSSAPI SASL mechanism (Kerberos V), you 33should read very carefully the documentation that comes with 34Cyrus-SASL, specifically the GSSAPI documentation. Getting the GSSAPI 35plugin to work correctly with SASL can be "interesting" to say the least. 36