The AuthMechanisms option is used to declare the
types of authentication you want to allow to be passed in the AUTH
ESMTP extension (see RFC2554). You use this option by listing the
mechanisms you wish to set as its value:
O AuthMechanisms=mechanisms 
configuration file (V8.10 and later)
-OAuthMechanisms=mechanisms configuration file (V8.10 and later)
define(`confAUTH_MECHANISMS', `mechanisms') mc configuration (V8.10 and later)
When there is more than one preferred mechanism, each is separated
from the others by space characters. For example:
define(`confAUTH_MECHANISMS', `CRAM-MD5 KERBEROS_V4')
Before the actual AUTH is generated, sendmail
produces an intersection of the mechanisms you want and those
supported by the SASL software you have installed. Only those that
are specified by both this option and those supported by your
software are listed by the issued AUTH command:
250-AUTH CRAM-MD5
Here, you wanted both CRAM-MD5 and KERBEROS_V4 offered as mechanisms.
But if the SASL software installed on your machine, for example,
supports only CRAM-MD5 and DIGEST-MD5, the common or intersecting
mechanism will be CRAM-MD5, so that is all that will be advertised.
When more than one mechanism is listed, the other side will negotiate
them one at a time, until one succeeds. For example, the interplay of
the offered mechanisms and the counters by the other side might look
like this:
220 other.domain ESMTP Sendmail 8.12.7/8.12.7; Sat, 18 Dec 1999 09:17:09 -0800 (PST)
EHLO host.your.domain
250-host.your.domain Hello you@host.your.domain [122.45.67.8], pleased to meet you
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SIZE
250-DSN
250-ONEX
250-ETRN
250-AUTH CRAM-MD5 KERBEROS_V4 we support
250-XUSR
250 HELP
AUTH CRAM-MD5 they first try this
334
authentication challenge here
authentication reply here
504 5.7.0 Authentication failure that fails
AUTH KERBEROS_V4 so they try this
334
authentication challenge here
authentication reply here
235 2.0.0 OK Authenticated which succeeds
The following mechanisms are the maximum set of those recognized by
the cyrus-sasl-1.5.16 distribution. Not all will
be compiled in, so not all will be supported.
- ANONYMOUS
-
The ANONYMOUS mechanism allows anyone to use the service.
Authentication parallels that of the anonymous
ftp login.
- CRAM-MD5
-
The CRAM-MD5 mechanism is the style of authentication used by POP
servers known as APOP.
- DIGEST-MD5
-
The DIGEST-MD5 mechanism is a stronger version of the CRAM-MD5
mechanism that also supports encryption.
- GSSAPI
-
The GSSAPI mechanism implements an API for general security services
that also support encryption. One example is support for Kerberos V5,
which is achieved using GSSAPI.
- KERBEROS_V4
-
The KERBEROS_V4 mechanism implements authentication based on
MIT's Kerberos 4.
- PLAIN
-
The PLAIN mechanism can perform plain text password authentication
(in a single step) with either PAM, KERBEROS_V4, or
/etc/passwd (or
/etc/shadow) authentication.
- LOGIN
-
The LOGIN mechanism is a two-step version of PLAIN.
The complete list of current mechanisms, and the RFC that describes
each, can be found at http://www.iana.org/assignments/sasl-mechanisms/
and http://www.sendmail.org/~ca/email/mel/SASL_info.html.
The AuthMechanisms option is available only if
sendmail is compiled with SASL (SASL) defined.
The AuthMechanisms option is not safe. If
specified from the command line, it can cause
sendmail to relinquish its special privileges.
