From owner-freebsd-questions@FreeBSD.ORG Wed Sep 5 11:34:09 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F065516A46B for ; Wed, 5 Sep 2007 11:34:09 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id 14F6013C459 for ; Wed, 5 Sep 2007 11:34:08 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from sysadmin.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id l85BUATg089691 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Wed, 5 Sep 2007 13:30:11 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown Organization: Health Systems Trust To: "Jim Stapleton" Date: Wed, 5 Sep 2007 13:36:34 +0200 User-Agent: KMail/1.7.2 References: <200709051012.46793.jonathan+freebsd-questions@hst.org.za> <80f4f2b20709050346l21f000f0y552bc0711cfcacfd@mail.gmail.com> In-Reply-To: <80f4f2b20709050346l21f000f0y552bc0711cfcacfd@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200709051336.34962.jonathan+freebsd-questions@hst.org.za> X-Spam-Score: -3.977 () ALL_TRUSTED,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Cc: freebsd-questions@freebsd.org Subject: Re: questions on setting up a mail server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Sep 2007 11:34:10 -0000 On Wednesday 05 September 2007 12:46, Jim Stapleton wrote: > > All the authentication options you mention after plain text (which is the > > standard method built in to the protocol) require Cyrus SASL. This isn't > > as scary to set up as the docs make it sound. PLAIN and LOGIN can both > > use your existing user passwords (which is what I do). GSSAPI requires > > Kerberos, and the digest methods (the -MD5 ones) need a separate file of > > passwords held in plain text - the sasldb. Of the passwd-based methods, > > PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is > > the one Microsoft uses (go figure). > > Thanks, that's almost all of what I needed there. You insinuated (but > I don't think explicitly stated) that LOGIN is in fact encrypted in > some form? No, it's just obfuscated. Both PLAIN and LOGIN send the username and password base64-encoded, which doesn't provide any security - it just protects the mailserver from funny characters in passwords. The only difference between PLAIN and LOGIN is that PLAIN combines the username and password into a single string and sends that, whereas LOGIN waits for a prompt, sends the username, waits for another prompt and sends the password. If you enable the option to prevent plaintext methods except under a security layer, both methods will be disabled. If you do decide to use cyrus, there's a useful tool called imtest which connects to the server, negotiates a TLS connection and lets you type IMAP commands at it. You can see the actual exchange of authentication details, and you can use openssl base64 -d to decode the base64 string to see what's sent (man enc for details). You can also test a secured connection using openssl s_client, which has an option for doing STARTTLS against smtp and pop3 servers (man s_client for details). Jonathan