Hi Florian, > I think users are very much used to using their email adress > instead of the username for email nowadays (at least here in > Germany). Maybe there’s a possibility to include that in future > releases?
This has been talked about in the past and it isn't that easy of a transition. For all relevant logins (SMTP, Dovecot, FTP, SSH, GUI and other odds and sods) we use PAM authentication. And that usually means: Username and password. This works out of the box and we can use the Linux user accounts and passwords. PAM can be extended to use the email-address instead of the username. But that usually involves stuffing the user accounts into LDAP or MySQL *and* throwing a lot of extra logic onto the problem. You're basically writing your own login mechanism with all intricacies and potential problems. Usernames are unique. No two Linux users can have the same name. Email addresses are a hell of a lot more complicated, because the same account can have many different email aliases and there could even be a wildcard email account under any given domain. And from the specified email address you need to extrapolate which Linux user that actually is. Then the question is: What's the actual benefit? In reality: There is none. So we'd be throwing a lot of extra complexity at a non-existing problem for no gain. Instead we'd create something horribly complex that has new points of failure and possibly even security holes in its first few iterations. That's just not worth the risk. There is also another thing to keep in mind: Brute force dictionary attacks. Just because *everyone* (and their mother) is using email addresses these automated attack tools run flat into a wall on a BlueOnyx. Because if you try to authenticate with an email-address instead of a username, then that's a default authentication failure. Lastly: The email addresses a server responds to can easily be probed from the outside and there are automated tools to harvest them. Likewise, anyone you communicate with via email knows your email address. On other platforms an attacker therefore already knows one half of your two-factor authentication and only needs to brute force the password. And on a BlueOnyx there isn't necessarily a direct relation between the login-token (username) and the email address. -- With best regards Michael Stauber _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
