> Am 18.01.2021 um 09:31 schrieb Michael Stauber <mstau...@blueonyx.it>: > > Hi Florian, > >> I think users are very much used to using their email adress >> instead of the username for email nowadays (at least here in >> Germany). Maybe there’s a possibility to include that in future >> releases? > > This has been talked about in the past and it isn't that easy of a > transition. > > For all relevant logins (SMTP, Dovecot, FTP, SSH, GUI and other odds and > sods) we use PAM authentication. And that usually means: Username and > password. This works out of the box and we can use the Linux user > accounts and passwords. > > PAM can be extended to use the email-address instead of the username. > But that usually involves stuffing the user accounts into LDAP or MySQL > *and* throwing a lot of extra logic onto the problem. You're basically > writing your own login mechanism with all intricacies and potential > problems. > > Usernames are unique. No two Linux users can have the same name. > > Email addresses are a hell of a lot more complicated, because the same > account can have many different email aliases and there could even be a > wildcard email account under any given domain. And from the specified > email address you need to extrapolate which Linux user that actually is. > > Then the question is: What's the actual benefit? > > In reality: There is none. > > So we'd be throwing a lot of extra complexity at a non-existing problem > for no gain. Instead we'd create something horribly complex that has new > points of failure and possibly even security holes in its first few > iterations. That's just not worth the risk. > > There is also another thing to keep in mind: > > Brute force dictionary attacks. > > Just because *everyone* (and their mother) is using email addresses > these automated attack tools run flat into a wall on a BlueOnyx. Because > if you try to authenticate with an email-address instead of a username, > then that's a default authentication failure. > > Lastly: The email addresses a server responds to can easily be probed > from the outside and there are automated tools to harvest them. > Likewise, anyone you communicate with via email knows your email address. > > On other platforms an attacker therefore already knows one half of your > two-factor authentication and only needs to brute force the password. > > And on a BlueOnyx there isn't necessarily a direct relation between the > login-token (username) and the email address. >
I get your point. It’s pure convenience. _______________________________________________ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
