From c7bd999c1c9daec7e815da6fd7beb92c043c5be7 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Fri, 28 May 2004 05:51:46 +0000 Subject: [PATCH] smtpmail.texi (Authentication): Improve STARTTLS discussion. --- man/smtpmail.texi | 42 +++++++++++++++++++++++++++++------------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/man/smtpmail.texi b/man/smtpmail.texi index 08ce87ac995..6efe6f71630 100644 --- a/man/smtpmail.texi +++ b/man/smtpmail.texi @@ -215,13 +215,30 @@ variables contains the authentication information needed for this. The first variable, @code{smtpmail-auth-credentials}, instructs the SMTP library to use a SASL authentication step, currently only the CRAM-MD5 and LOGIN mechanisms are supported and will be selected in -that order if the server supports them. The second variable, -@code{smtpmail-starttls-credentials}, instructs the SMTP library to -connect to the server using STARTTLS. This means the protocol -exchange can be integrity protected and confidential by using TLS, and -optionally also authentication of the client. It is common to use -both these mechanisms, e.g., to use STARTTLS to achieve integrity and -confidentiality and then use SASL for client authentication. +that order if the server support both. + +The second variable, @code{smtpmail-starttls-credentials}, instructs +the SMTP library to connect to the server using STARTTLS. This means +the protocol exchange may be integrity protected and confidential by +using TLS, and optionally also authentication of the client. This +feature uses the elisp package @file{starttls.el} (see it for more +information on customization), which in turn require that at least one +of the following external tools are installed: + +@enumerate +@item +The GNUTLS command line tool @samp{gnutls-cli}, you can get it from +@url{http://www.gnu.org/software/gnutls/}. This is the recommended +tool, mainly because it can verify the server certificates. + +@item +The @samp{starttls} external program, you can get it from +@file{starttls-*.tar.gz} from @uref{ftp://ftp.opaopa.org/pub/elisp/}. +@end enumerate + +It is not uncommon to use both these mechanisms, e.g., to use STARTTLS +to achieve integrity and confidentiality and then use SASL for client +authentication. @table @code @item smtpmail-auth-credentials @@ -231,11 +248,13 @@ hostname, port, username and password tuples. When the SMTP library connects to a host on a certain port, this variable is searched to find a matching entry for that hostname and port. If an entry is found, the authentication process is invoked and the credentials are -used. The hostname field follows the same format as +used. + +The hostname field follows the same format as @code{smtpmail-smtp-server} (i.e., a string) and the port field the same format as @code{smtpmail-smtp-service} (i.e., a string or an integer). The username and password fields, which either can be -@code{nil} to indicate that the user is queried for the value +@code{nil} to indicate that the user is prompted for the value interactively, should be strings with the username and password, respectively, information that is normally provided by system administrators. @@ -246,10 +265,7 @@ administrators. tuples with hostname, port, name of file containing client key, and name of file containing client certificate. The processing is similar to the previous variable. The client key and certificate may be -@code{nil} if you do not wish to use client authentication. The use -of this variable requires the @samp{starttls} external program to be -installed, you can get @file{starttls-*.tar.gz} from -@uref{ftp://ftp.opaopa.org/pub/elisp/}. +@code{nil} if you do not wish to use client authentication. @end table The following example illustrates what you could put in