Skip to Main Content
IBM Z Hardware and Operating Systems Ideas Portal


This is the public portal for all IBM Z Hardware and Operating System related offerings. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Status Future consideration
Workspace z/OS
Created by Guest
Created on Nov 5, 2012

CSSMTP Suppport for SASL Methods PLAIN and KERBEROS

CSSMTP Suppport for SASL Methods PLAIN and KERBEROS.

Our Security Department requires any Mail Sender
to identify itself via 'Simple Authentication and Security Layer' (SASL).

Three SASL Methods would fulfill that requirement:

a) Method PLAIN.
A Mail Sender must authenticate itself via Userid and Password before Mail is accepted. Identity provided by Userid and Password must match the identity given in SMTP Header MAIL FROM:

b) Method Kerberos.
A Mail Sender must provide Kerberos Credentials that must match the identity given in SMTP Header MAIL FROM:

c) Method NTLMV2
A Mail Sender must provide NTLMv2 credentials that must match the identity given in SMTP Header MAIL FROM:

RFC4954 describes SMTP commands to implement SASL.

RFC4422 describes SASL in general.

There are specific RFCs that describe each SASL Method.

CSSMTP should be enhanced to support above mentioned SASL methods.

We want CSSMTP to authenticate itself with its started task user credentials.

CSSMTP is not required to use credentials learned from JES Submitter userid.

CSSMTP uses our Microsoft Exchange Mail Server as its target.

Microsoft Exchange Server verifies CSSMTP credentials if CSSMTP is allowed to send mail on behalf of the actual sender (taken from MAIL FROM header).

CSSMTP should prepare and conduct SASL negotiation.

The flow could be like:
1) CSSMTP reads mail from JES Spool and verifies JES Job Submitter is allowed to send mail.
2) CSSMTP reads HELO or EHLO command
3) CSSMTP reads MAIL FROM command. Here CSSMTP might match JES Job Submitter and MAIL FROM identity.
4) CSSMTP prepares credentials for one of the supported SASL methods.
This includes communication with RACF.
5) CSSMTP starts communication with MAIL Target Server.
Communication might be unsecured, which is suitable for method KERBEROS.
Communication must be TLS secured to allow method PLAIN.
6) CSSMTP conducts SASL negotiation.
7) CSSMTP sends actual Mail items.

Idea priority High
  • Guest
    Reply
    |
    Jul 20, 2021

    In an environment where security is very important, we need this functionality to prevent spoofing email and potential phishing attacks. Using an Authenticated email connector between CSSMTP and exchange rather than an Anonymous connector allows rules based analysis in Exchange to be used of any email passing from z/OS to prevent leakage of any Personally Identifiable Information (PII), PCI Information, etc based on were the email is from and where it is going. This RFE is very important!

  • Guest
    Reply
    |
    Nov 19, 2015

    Due to processing by IBM, this request was reassigned to have the following updated attributes:
    Brand - Servers and Systems Software
    Product family - z Systems Software
    Product - z/OS Communications Server

    For recording keeping, the previous attributes were:
    Brand - WebSphere
    Product family - Enterprise Networking
    Product - z/OS Communications Server