Tony Finch wrote: > Does SPA also require plaintext passwords on the server? Hmm, the docs say > yes.
Yes, it does. I configured Exim at work to handle SPA along with LOGIN PLAIN and CRAM-MD5. > When I went to the IETF meeting in Paris last year, there was some > discussion about the security of CRAM-MD5 versus plaintext passwords over > TLS, and the consensus was that the latter is better - I didn't understand > the detail of the attacks against CRAM-MD5, but they were more serious > than just plaintext passwords on the server, and might even have been as > bad as offline brute-force atacks. I think I would only use it if I > couldn't justify the cost of a TLS certificate. What about CRAM-MD5 over TLS? I stored the plain text pwds for our userbase in SQL. I didn't see a need in storing encrypted ones. Most of our users use the server locally or over VPN. > I think that once a user understands enough to implement these, SPA should > be simple, and since it's non-standard I'm disinclined to add it to the > default configuration and let people who need it read the spec. Actually, I believe the only difference (It has been atleast 2 years since I wrote the authenticators) between SPA and CRAM-MD5 in the config I have is the driver and the name. > One final note: I propose to change src/EDITME to enable the plaintext > authenticator by default. I'm fine with that. It would be nice to have a modular design and a make menuconfig! =) -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
