Re: [exim] Exim4 + fixed_cram

On 2014-01-23 at 01:43 +0100, Wolfgang Breyha wrote:
> Personally I wouldn't use both for new installations. LOGIN/PLAIN after
> STARTTLS is just fine.

I strongly disagree.

LOGIN/PLAIN assumes that the TLS layer will, each and every time,
provide complete assurance that you're connecting to the expected
server. A compromise, such as via a malicious cert from a poor quality
CA, or an end-user behaving like an end-user and clicking through some
dialogue box complaining of a cert mismatch, will result in disclosure
of the persistent bearer credential that is a password.

This is a Rather Poor security model.

If clients support it, I'd preferentially pick a SCRAM authenticator,
which uses Channel Binding, so that properties of the TLS session are
used as input to identification, thus successful authentication _proves_
that the remote side of _this_ TLS session has access to the server-side
credential store (protecting against MitM attacks) and avoids disclosing
the password too.

After SCRAM, supported by Exim with GSASL (and enable the
Exim server_channelbinding option) I push for GSSAPI (in more structured
environments), DIGEST-MD5 (which provides mutual authentication without
the channel-binding protection), and CRAM-MD5.

PLAIN auth is a disservice to your users; if they're using a client
which only supports PLAIN/LOGIN then they're using a client written by
someone clueless about network security and there's no reason to trust
that the client is safe to use in other aspects.

-Phil