On Sun, 13 Aug 2000, Kurt D. Zeilenga wrote:
> At 01:49 PM 8/13/00 +0200, Johan Granlund wrote:
> >I think we have to support rfc2554 autenthication (With MECH LOGIN for
> >Outlook) out of the box if we are serius about mailserver and security.
>
> If you're serious about security, you shouldn't support LOGIN (or PLAIN)
> unless adequate privacy protections are in place. If you're serious
> about standards, you won't support LOGIN.
Tell that to Microsoft! They only support LOGIN and the users (god bless
them) won't change to another client.
>
> Given that OpenSSL is in the base system, there is little reason not
> to support BOTH StartTLS and SASL "out of the box". I would suggest
> the authentication defaults be relative secure, as in "noplain,noanonymous".
> This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms.
Works for me. I _have_ to keep OE5 working somehow until they start
supporting a better mechanism, _Then_ i can ditch LOGIN.
>
> >A make.conf knob to use a userinstalled library may create problems with
> >different versions of Cysus-SASL. I had some problems with that when
> >uppgrading my mailservers to Sendmail 8.10.
>
> I'd recommend bringing Cyrus-SASL into the base system eventually
> under the same rational used to bring OpenSSL in.
I agree.
/Johan
>
> Kurt
>
>
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
