Re: [exim] sending mail from outside

Top Page
Delete this message
Reply to this message
Author: Tony Finch
Date:  
To: John W. Baxter
CC: exim-users
Subject: Re: [exim] sending mail from outside
On Sun, 14 May 2006, John W. Baxter wrote:
>
> We offer all of SPA, CRAM-MD5, PLAIN, and LOGIN. Given that choice,
> Eudora and Thunderbird (at least) will use CRAM (just now verified for
> Thunderbird).
>
> We concluded--probably erroneously--when adding SPA to the list that Outlook
> Express would not use SPA unless it was advertised prior to the plain text
> alternatives.


!

> And because of the need for plain text passwords for CRAM, I would be
> dubious about including it in the default configuration other than as a
> comment pointing out its existence and that restriction and pointing to its
> place in the manual.


Does SPA also require plaintext passwords on the server? Hmm, the docs say
yes.

When I went to the IETF meeting in Paris last year, there was some
discussion about the security of CRAM-MD5 versus plaintext passwords over
TLS, and the consensus was that the latter is better - I didn't understand
the detail of the attacks against CRAM-MD5, but they were more serious
than just plaintext passwords on the server, and might even have been as
bad as offline brute-force atacks. I think I would only use it if I
couldn't justify the cost of a TLS certificate.

The right thing for the default configuration file is to make it easy to
implement the well-established consensus, which AFAICT for authentication
is TLS+PLAIN (+LOGIN).

I think that once a user understands enough to implement these, SPA should
be simple, and since it's non-standard I'm disinclined to add it to the
default configuration and let people who need it read the spec.

One final note: I propose to change src/EDITME to enable the plaintext
authenticator by default.

Tony.
--
<fanf@???> <dot@???> http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}