On 2015-09-06, Alexander Carver <[email protected]> wrote: > On 2015-09-05 12:03, Jeremy Harris wrote: >> On 05/09/15 19:54, AC wrote: >>> Until this thread I didn't know that the >>> password is base64 encoded in the AUTH PLAIN debug output (before it's >>> printed as plain text in $auth3 otherwise). I assumed it was a hashed >>> string so I didn't expect it to match every time. >> >> Because of this, restricting plaintext auth methods to encrypted >> connections is a good move. > > Yes, I would agree. I have mine set up to use a TLS encrypted > connection started by STARTTLS. Is there a way to combine the SASL > authentication with a hashing algorithm or is STARTTLS+PLAIN sufficient?
It's possible to use AUTH CRAM-MD5 after STARTTLS, but IME few clients do it. I'm not sure of the current state of other hashing auth mechnisms in Exim. A down-side of hashing auth is that the server needs to know the password (or at-least sufficient password detail to authinticate) while with the cleartext auth mechanisms it does not need to know the password. This means that where hashing auth is used greater care must be taken to secure the password list. -- \_(ツ)_ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
