Suggested options (not sure how to do it -- hurt my back and not
thinking 100% this morning):
- Users are the only ones who should be using SMTP AUTH, and they should
NOT be using port 25 when they do it... so the SMTP daemon on port 25
should NOT ALLOW SMTP AUTH at all
- Its up to you whether you support SUBMISSION connections on port 587
with or without SSL, but in my case I REQUIRE SSL on both ports 587 and
465 (several mail clients will specifically look for 465 with SSL before
even trying 587). Of course, this means that I either pay for a publicly
signed SSL certificate, or make my users import my self-signed certificate.
Once you're connecting on ports 587 or 465 over SSL, the AUTH method is
less important -- it's all encrypted in the SSL connection.
Just my thoughts...
Dan McAllister
On 9/10/2013 9:59 AM, Eric Shubert wrote:
On 09/10/2013 02:34 AM, Johannes Weberhofer wrote:
Dear all!
For security reasons I have disabled the storage of vpopmail's
plain-text passwords. Upon connection the qmail-server still responds
with
250-server.test.com - Welcome to Qmail Toaster Ver. 1.03.5 SMTP Server
250-STARTTLS
250-PIPELINING
250-8BITMIME
250-SIZE 20971520
250 AUTH LOGIN PLAIN CRAM-MD5
Qmail's implementation of cram-md5 is implemented in a way, that the
plain-text password is required [1] for CRAM-MD5 authentication. My
problem is, that some clients are sending the CRAM-MD5 response, but
Qmail is not able to process it correctly. Unfortunately I have not
found a way to turn this feature off. Does someone know, how to?
Best regards,
Johannes
[1] http://en.wikipedia.org/wiki/CRAM-MD5
You're one step ahead of me, Johannes. :)
I had planned to do so by having spamdyke handle authentication. The
current version doesn't implement this quite rightly though, but it'll
be fixed in the soon to be released version.
In the meantime, check for qmail config options in the .spec file.
There might be a ./configure option for turning cram-md5 off. I don't
know off hand, but I would expect so. Either that or vpopmail. I don't
recall off hand how qmail makes the determination of which auth
methods are available.
Please let me know how you make out with this.
Thanks!
P.S. Just to be clear, plain-text passwords are required for any
implementation of cram-md5, not just qmail's. That's a weakness which
is inherent in the protocol.
--
PLEASE TAKE NOTE OF OUR NEW ADDRESS
===================================
IT4SOHO, LLC
33 - 4th Street N, Suite 211
St. Petersburg, FL 33701-3806
CALL TOLL FREE:
877-IT4SOHO
877-484-7646 Phone
727-647-7646 Local
727-490-4394 Fax
We have support plans for QMail!
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
