Re: [exim] sending mail from outside

Tony Finch wrote:
> Does SPA also require plaintext passwords on the server? Hmm, the docs say
> yes.

Yes, it does. I configured Exim at work to handle SPA along with LOGIN
PLAIN and CRAM-MD5.

> When I went to the IETF meeting in Paris last year, there was some
> discussion about the security of CRAM-MD5 versus plaintext passwords over
> TLS, and the consensus was that the latter is better - I didn't understand
> the detail of the attacks against CRAM-MD5, but they were more serious
> than just plaintext passwords on the server, and might even have been as
> bad as offline brute-force atacks. I think I would only use it if I
> couldn't justify the cost of a TLS certificate.

What about CRAM-MD5 over TLS? I stored the plain text pwds for our userbase
in SQL. I didn't see a need in storing encrypted ones. Most of our users
use the server locally or over VPN.

> I think that once a user understands enough to implement these, SPA should
> be simple, and since it's non-standard I'm disinclined to add it to the
> default configuration and let people who need it read the spec.

Actually, I believe the only difference (It has been atleast 2 years since I
wrote the authenticators) between SPA and CRAM-MD5 in the config I have is
the driver and the name.

> One final note: I propose to change src/EDITME to enable the plaintext
> authenticator by default.

I'm fine with that.

It would be nice to have a modular design and a make menuconfig! =)

--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???