On Tue, 28 Aug 2001, Tamas TEVESZ wrote:
> On Tue, 28 Aug 2001, Matt Bernstein wrote:
>
> > ..but it's too late by then! You say (in the clear)
> > AUTH PLAIN MiMeHaSh..
> > ..and the server replies
> > 503 STARTTLS required before AUTH
>
> the server doesn't have to advertise it's auth-capability unless the
> channel is already secured :) (no, i don't know how (if at all) to do
> that. but it wouldn't be nice...)
Indeed. Here is a comment from the Exim source code:
Do not advertise AUTH if the host is in auth_over_tls_hosts and we
are not in a TLS session.
> otoh - once one does ssl, then why bother with passwords ? use
> certificates then :)
Because certificates are very complicated things to handle, and not many
people understand them well. If you just want encryption (not
identification) you can give your server a self-signed certificate and
not have to bother your users with certificates, or tangle with
certification companies.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
