netqmail is patched with Bill Schupp's "TLS and SMTP-AUTH support" patch, but that patch doesn't conteplate the possibility of denying authentication *before* a TLS session is established. It's a solid security feature that could be implemented with a trivial patch and an USE flag on the ebuild (although I feel that auth before tls shouldn't be allowed at all, some other people may disagree, hence the option). I'm aware of the netqmail patch policy (which I agree with) but a well reviewed and trivial patch that implements an important security feature seems to be a viable exception. I've attached a patch for netqmail-1.05-r3.ebuild and another for qmail-smtpd.c (to put in mail-mta/netqmail/files/). The patch for qmail-smtpd.c is almost equal to the one in bug #31426 for qmail.
Created attachment 89341 [details, diff] ebuild patch to include use flag 'notlsbeforeauth'
Created attachment 89342 [details, diff] patch for qmail-smtpd.c to optionally (chose at compile time) prevent auth without tls
My policy is to have netqmail as much as possible like upstream. Obviously, that's not fully possible, thus there are some patches in there. Your patch has no upstream maintainer and I won't add it. Please use QMAIL_PATCH_DIR.
(In reply to comment #3) > My policy is to have netqmail as much as possible like upstream. Obviously, > that's not fully possible, thus there are some patches in there. Your patch has > no upstream maintainer and I won't add it. Please use QMAIL_PATCH_DIR. I understand your point of view. Before I offer to maintain it myself, I'll contact Bill Schupp to see if he's interested in adding this feature to his patch.
