Or, you could not allow logins for the accounts used for email, which I have
done. (/sbin/nologin).
Or another avenue, which I have done as well is to use just one account name
and password for relaying email (if you have dynamic clients). Again, this
account has no interactive shell. If this account is every compromised,
just change the password, send an email to your users with the new password
and continue on. Not the best solution in the world, but in a world where I
cannot dictate what the clients are actually using for email, its the best I
could come up with.
CK
----- Original Message -----
From: "Peter Radcliffe" <pir@???>
To: "Exim Users" <exim-users@???>
Sent: Tuesday, August 28, 2001 2:36 PM
Subject: Re: [Exim] Help with SMTP AUTH
> "Dave C." <djc@???> probably said:
> > As far as using TLS with SMTP auth, why bother? Spammers do NOT sit
> > sniffing SMTP sessions to try and catch username and password pairs to
> > send spam (and where would they sniff from anyway?) - that would be way
> > too much work - there are still plenty of open SMTP servers out there,
> > despite MAPS/RSS/ORBS/etc best efforts. And if some rogue employee at a
> > backbone network wanted to try and break into your site (unlikely) by
> > sniffing for SMTP AUTH passwords, they would have to wade through
> > gigbytes of traffic looking. Poeple just dont do that.
>
> Wade through traffic ? Get thee a copy of dsniff. One machine gets
> cracked, drop a password sniffer on it ... instant database of
> hundreds of passwords on a busy network.
>
> Why said anything about spammers ? People use the same or similar
> passwords for many things/machines. Get one password in the clear and
> get login access to machine X, from there get to machine Y ...
> Today alone I've seen one person here wanting to do SMTP auth
> from the login password on a machine.
>
> Passwords in the clear, _whatever_ they are for, is bad.
>
> > And if you or your clients are transmitting sensitive/confidential
> > information, you really should be using something like PGP to provide
> > origin-to-destination security. Encrypting the SMTP session, unless you
> > also encrypt your mail spool, just gives a false sense of security.
>
> I disagree, strongly.
>
> I have a machine at work with an interface that gets _every_ packet in
> and out of the university for doing bandwidth monitoring, running
> snort and such. mailsnarf on that machine with a couple of regexps ...
> unfortunately not everyone is as ethical as me. Cracking a machine
> on the same subnet as a mailserver and arpspoof the switch would
> give similar results.
>
> Anything that can reasonably be encrypted should be. TLS makes
> encrypted SMTP trivial, no reason _not_ to use it. Yes, if you are
> paranoid you should still be using PGP for mail, but this doesn't mean
> TLS is pointless. I +like+ my mail being encrypted where it can be.
>
> P.
>
> --
> pir pir-sig@??? pir-sig@???
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
details at
http://www.exim.org/ ##
>
