On Sat, 6 Oct 2001, Mike Richardson wrote:
> > The RFC to read is 2554 "SMTP Service Extension for Authentication", but
> > unfortunately, it doesn't show a PLAIN example. What it does say is
>
> Might be an idea to put that RFC reference in the Exim docs near the
> reference to RFC2595 in the authenticators section. I wasn't too sure
> where to look for this stuff. Not much on google either...
It is on the same page (is that near enough?) It's in the second
sentence of Chapter 33.
> I hope that'll be enough to convince them. I take it that you don't mind
> if I forward your reply to them?
No problem.
> Given that they charge 10 quid plus per
> user licence I'd be nice if the software worked properly with our (and
> other MTAs). Btw, do you have any comment about relative security
> implications of using PLAIN over LOGIN? (I know that SSL should be used
> in either case, thats the next step to test :-)
I have seen arguments that LOGIN is "better" because it doesn't sent the
password in the same packet as the user name. Personally, I don't think
this is a serious argument. PLAIN is (a) standardised in an RFC and (b)
more efficient because it needs only one round-trip, not 3.
It is an historical accident that there exist two different plaintext
user/password authentication mechanisms.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.
