On Sun, 14 May 2006, John W. Baxter wrote: > > We offer all of SPA, CRAM-MD5, PLAIN, and LOGIN. Given that choice, > Eudora and Thunderbird (at least) will use CRAM (just now verified for > Thunderbird). > > We concluded--probably erroneously--when adding SPA to the list that Outlook > Express would not use SPA unless it was advertised prior to the plain text > alternatives.
! > And because of the need for plain text passwords for CRAM, I would be > dubious about including it in the default configuration other than as a > comment pointing out its existence and that restriction and pointing to its > place in the manual. Does SPA also require plaintext passwords on the server? Hmm, the docs say yes. When I went to the IETF meeting in Paris last year, there was some discussion about the security of CRAM-MD5 versus plaintext passwords over TLS, and the consensus was that the latter is better - I didn't understand the detail of the attacks against CRAM-MD5, but they were more serious than just plaintext passwords on the server, and might even have been as bad as offline brute-force atacks. I think I would only use it if I couldn't justify the cost of a TLS certificate. The right thing for the default configuration file is to make it easy to implement the well-established consensus, which AFAICT for authentication is TLS+PLAIN (+LOGIN). I think that once a user understands enough to implement these, SPA should be simple, and since it's non-standard I'm disinclined to add it to the default configuration and let people who need it read the spec. One final note: I propose to change src/EDITME to enable the plaintext authenticator by default. Tony. -- <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> http://dotat.at/ ${sg{\N${sg{\ N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\ \N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}} -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
