On 2015-09-06, Alexander Carver <agcarver@???> wrote: > On 2015-09-05 12:03, Jeremy Harris wrote:
>> On 05/09/15 19:54, AC wrote:
>>> Until this thread I didn't know that the
>>> password is base64 encoded in the AUTH PLAIN debug output (before it's
>>> printed as plain text in $auth3 otherwise). I assumed it was a hashed
>>> string so I didn't expect it to match every time.
>>
>> Because of this, restricting plaintext auth methods to encrypted
>> connections is a good move.
>
> Yes, I would agree. I have mine set up to use a TLS encrypted
> connection started by STARTTLS. Is there a way to combine the SASL
> authentication with a hashing algorithm or is STARTTLS+PLAIN sufficient?
It's possible to use AUTH CRAM-MD5 after STARTTLS, but IME few clients
do it. I'm not sure of the current state of other hashing auth mechnisms
in Exim.
A down-side of hashing auth is that the server needs to know the
password (or at-least sufficient password detail to authinticate)
while with the cleartext auth mechanisms it does not need to know
the password. This means that where hashing auth is used greater
care must be taken to secure the password list.
