* Peter Radcliffe <pir@???> [20010828 22:39]: writing on the subject 'Re: [Exim] Help with SMTP AUTH'
| "Dave C." <djc@???> probably said:
| > As far as using TLS with SMTP auth, why bother? Spammers do NOT sit
| > sniffing SMTP sessions to try and catch username and password pairs to
| > send spam (and where would they sniff from anyway?) - that would be way
| > too much work - there are still plenty of open SMTP servers out there,
| > despite MAPS/RSS/ORBS/etc best efforts. And if some rogue employee at a
| > backbone network wanted to try and break into your site (unlikely) by
| > sniffing for SMTP AUTH passwords, they would have to wade through
| > gigbytes of traffic looking. Poeple just dont do that.
|
| Wade through traffic ? Get thee a copy of dsniff. One machine gets
| cracked, drop a password sniffer on it ... instant database of
| hundreds of passwords on a busy network.
|
| Why said anything about spammers ? People use the same or similar
| passwords for many things/machines. Get one password in the clear and
| get login access to machine X, from there get to machine Y ...
| Today alone I've seen one person here wanting to do SMTP auth
| from the login password on a machine.
|
| Passwords in the clear, _whatever_ they are for, is bad.
|
| > And if you or your clients are transmitting sensitive/confidential
| > information, you really should be using something like PGP to provide
| > origin-to-destination security. Encrypting the SMTP session, unless you
| > also encrypt your mail spool, just gives a false sense of security.
|
| I disagree, strongly.
|
| I have a machine at work with an interface that gets _every_ packet in
| and out of the university for doing bandwidth monitoring, running
| snort and such. mailsnarf on that machine with a couple of regexps ...
| unfortunately not everyone is as ethical as me. Cracking a machine
| on the same subnet as a mailserver and arpspoof the switch would
| give similar results.
|
| Anything that can reasonably be encrypted should be. TLS makes
| encrypted SMTP trivial, no reason _not_ to use it. Yes, if you are
| paranoid you should still be using PGP for mail, but this doesn't mean
| TLS is pointless. I +like+ my mail being encrypted where it can be.
While disagreement over an issue is such a healthy idea, it's much more
satisfying when at the end of it all a compromise is reached. That's
exactly what I'm gonna as for here.
Three issues have come up:
o Exim's native SMTP AUTH
o SMTP AUTH with TLS/SSL
o POP before SMTP
Native SMTP AUTH:
It's been kinda agreed that SMTP AUTH (native) is only good when the
username/password combination is different than the machine login pair.
Of course in my situation the users have a nice account called
/nonexistent so I'd feel secure with the native SMTP AUTH. There are only
about 6 people who have login shells on any of my boxes and those can use
other means - like mutt. I personally use mutt/gpg. I also see a good
point in having a single account being used by everyone for SMTP AUTH but
I hate to trust clients with 'big mouths'. The single account idea doesn't
quite appeal to me. Everyone has to use their passwd.
SMTP AUTH with TLS/SSL:
A strong point has been made for this. From my 'personal' inference, it
would appear that a case has been made that it's the best
implementation. The only limitation to it would be the certificates issue,
which seems to draw mixed reactions.
POP before SMTP:
Yes. Sounds to be a better idea except for cases where clients use
'insane' MUAs like M$ Outlock! And a case has been made also for it.
My VIEW:
The original idea behind SMTP AUTH seems to be simply to enable mail relay
for your clients wherever they are, yes? Everyone here must have realized
that M$ products are rampant, possibly the most widely used MUAs, yes?
And clients are not people to be manipulated easily. Like in my situation
I have already made life difficult for them, forcing the clients to have
TWO different passwords, one for dialup and one for POP3. I cannot enforce
this because I also give them to leeway to change any of those passwords
at will. Telling them of a third password might not go well with a
majority of them. This majority are not the type of the mobile client
whos sticks to username@hisdomain and as such I'm of the opinion that the
implementation should be as hassle free as possible, taking me back to
their username/password pair, and this is the pair that they use for POP3.
I therefore suggest that we all diasgree to agree that the native Exim's
SMTP AUTH is still the better option if the client's don't have shell
access to the Server;-)
-Wash
--
Odhiambo Washington
Wananchi Online Ltd.,
wash@??? 1st Flr Loita Hse.
Tel: 254 2 313985 Loita Street.,
Fax: 254 2 313922 PO Box 10286,00100-NAIROBI,KE.
Alimony is a system by which, when two people make a mistake, one of them
continues to pay for it.
-Peggy Joyce
