Re: [Exim] AUTH PLAIN

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: Mike Richardson
CC: exim-users
Assumpte: Re: [Exim] AUTH PLAIN
On Sat, 6 Oct 2001, Mike Richardson wrote:

> > The RFC to read is 2554 "SMTP Service Extension for Authentication", but
> > unfortunately, it doesn't show a PLAIN example. What it does say is
>
> Might be an idea to put that RFC reference in the Exim docs near the
> reference to RFC2595 in the authenticators section. I wasn't too sure
> where to look for this stuff. Not much on google either...


It is on the same page (is that near enough?) It's in the second
sentence of Chapter 33.

> I hope that'll be enough to convince them. I take it that you don't mind
> if I forward your reply to them?


No problem.

> Given that they charge 10 quid plus per
> user licence I'd be nice if the software worked properly with our (and
> other MTAs). Btw, do you have any comment about relative security
> implications of using PLAIN over LOGIN? (I know that SSL should be used
> in either case, thats the next step to test :-)


I have seen arguments that LOGIN is "better" because it doesn't sent the
password in the same packet as the user name. Personally, I don't think
this is a serious argument. PLAIN is (a) standardised in an RFC and (b)
more efficient because it needs only one round-trip, not 3.

It is an historical accident that there exist two different plaintext
user/password authentication mechanisms.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.