Re: questions on setting up a mail server

On Wednesday 05 September 2007 12:46, Jim Stapleton wrote:
All the authentication options you mention after plain text (which is the
standard method built in to the protocol) require Cyrus SASL. This isn't
as scary to set up as the docs make it sound. PLAIN and LOGIN can both
use your existing user passwords (which is what I do). GSSAPI requires
Kerberos, and the digest methods (the -MD5 ones) need a separate file of
passwords held in plain text - the sasldb. Of the passwd-based methods,
PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is
the one Microsoft uses (go figure).

Thanks, that's almost all of what I needed there. You insinuated (but
I don't think explicitly stated) that LOGIN is in fact encrypted in
some form?

No, it's just obfuscated. Both PLAIN and LOGIN send the username and password
base64-encoded, which doesn't provide any security - it just protects the
mailserver from funny characters in passwords.

The only difference between PLAIN and LOGIN is that PLAIN combines the
username and password into a single string and sends that, whereas LOGIN
waits for a prompt, sends the username, waits for another prompt and sends
the password.

If you enable the option to prevent plaintext methods except under a security
layer, both methods will be disabled.

If you do decide to use cyrus, there's a useful tool called imtest which
connects to the server, negotiates a TLS connection and lets you type IMAP
commands at it. You can see the actual exchange of authentication details,
and you can use openssl base64 -d to decode the base64 string to see what's
sent (man enc for details).

You can also test a secured connection using openssl s_client, which has an
option for doing STARTTLS against smtp and pop3 servers (man s_client for
details).

Jonathan
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: SMTP AUTH implementation question
    ... but I needed to have somebody verify it for me (because a lot of this ... (i.e. for storage, on disk, of the plaintext passwords) ... already implemented the PLAIN and LOGIN mechanisms, ... I do know that the downside of PLAIN and LOGIN is that with those, ...
    (sci.crypt)
  • Re: How to save internet login and password
    ... Now would be a perfect time to document and store said login ID's and ... passwords in a secure location. ... They are not stored in plain text on the ...
    (microsoft.public.win2000.general)
  • expect: hiding passwords
    ... how can i avoid including plain text passwords in my EXPECT scripts ... while not having to type them in, interactively, each time i login? ...
    (comp.unix.shell)
  • Re: Unable to type password at welcome screen
    ... vertical login cursor ceases to exist. ... just users restart their PC's in order to fix it; ... never be able to remember their user name, much less their passwords. ...
    (microsoft.public.windowsxp.general)
  • Re: Unable to type password at welcome screen
    ... Windows security update kb923191 causes the problem. ... vertical login cursor ceases to exist. ... never be able to remember their user name, much less their passwords. ...
    (microsoft.public.windowsxp.general)