On Wednesday 05 September 2007 12:46, Jim Stapleton wrote: > > All the authentication options you mention after plain text (which is the > > standard method built in to the protocol) require Cyrus SASL. This isn't > > as scary to set up as the docs make it sound. PLAIN and LOGIN can both > > use your existing user passwords (which is what I do). GSSAPI requires > > Kerberos, and the digest methods (the -MD5 ones) need a separate file of > > passwords held in plain text - the sasldb. Of the passwd-based methods, > > PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is > > the one Microsoft uses (go figure). > > Thanks, that's almost all of what I needed there. You insinuated (but > I don't think explicitly stated) that LOGIN is in fact encrypted in > some form?
No, it's just obfuscated. Both PLAIN and LOGIN send the username and password base64-encoded, which doesn't provide any security - it just protects the mailserver from funny characters in passwords. The only difference between PLAIN and LOGIN is that PLAIN combines the username and password into a single string and sends that, whereas LOGIN waits for a prompt, sends the username, waits for another prompt and sends the password. If you enable the option to prevent plaintext methods except under a security layer, both methods will be disabled. If you do decide to use cyrus, there's a useful tool called imtest which connects to the server, negotiates a TLS connection and lets you type IMAP commands at it. You can see the actual exchange of authentication details, and you can use openssl base64 -d to decode the base64 string to see what's sent (man enc for details). You can also test a secured connection using openssl s_client, which has an option for doing STARTTLS against smtp and pop3 servers (man s_client for details). Jonathan _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"