Date: Wed, 5 Sep 2007 13:36:34 +0200 From: Jonathan McKeown <jonathan+freebsd-questions@hst.org.za> To: "Jim Stapleton" <stapleton.41@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: questions on setting up a mail server Message-ID: <200709051336.34962.jonathan%2Bfreebsd-questions@hst.org.za> In-Reply-To: <80f4f2b20709050346l21f000f0y552bc0711cfcacfd@mail.gmail.com> References: <BMEDLGAENEKCJFGODFOCGEELCAAA.tedm@toybox.placo.com> <200709051012.46793.jonathan%2Bfreebsd-questions@hst.org.za> <80f4f2b20709050346l21f000f0y552bc0711cfcacfd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 05 September 2007 12:46, Jim Stapleton wrote: > > All the authentication options you mention after plain text (which is the > > standard method built in to the protocol) require Cyrus SASL. This isn't > > as scary to set up as the docs make it sound. PLAIN and LOGIN can both > > use your existing user passwords (which is what I do). GSSAPI requires > > Kerberos, and the digest methods (the -MD5 ones) need a separate file of > > passwords held in plain text - the sasldb. Of the passwd-based methods, > > PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is > > the one Microsoft uses (go figure). > > Thanks, that's almost all of what I needed there. You insinuated (but > I don't think explicitly stated) that LOGIN is in fact encrypted in > some form? No, it's just obfuscated. Both PLAIN and LOGIN send the username and password base64-encoded, which doesn't provide any security - it just protects the mailserver from funny characters in passwords. The only difference between PLAIN and LOGIN is that PLAIN combines the username and password into a single string and sends that, whereas LOGIN waits for a prompt, sends the username, waits for another prompt and sends the password. If you enable the option to prevent plaintext methods except under a security layer, both methods will be disabled. If you do decide to use cyrus, there's a useful tool called imtest which connects to the server, negotiates a TLS connection and lets you type IMAP commands at it. You can see the actual exchange of authentication details, and you can use openssl base64 -d to decode the base64 string to see what's sent (man enc for details). You can also test a secured connection using openssl s_client, which has an option for doing STARTTLS against smtp and pop3 servers (man s_client for details). Jonathan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709051336.34962.jonathan%2Bfreebsd-questions>