On Sun, 13 Aug 2000, Kurt D. Zeilenga wrote:

> At 01:49 PM 8/13/00 +0200, Johan Granlund wrote:
> >I think we have to support rfc2554 autenthication (With MECH LOGIN for
> >Outlook) out of the box if we are serius about mailserver and security.
> If you're serious about security, you shouldn't support LOGIN (or PLAIN)
> unless adequate privacy protections are in place.  If you're serious
> about standards, you won't support LOGIN.

Tell that to Microsoft! They only support LOGIN and the users (god bless
them) won't change to another client.

> Given that OpenSSL is in the base system, there is little reason not
> to support BOTH StartTLS and SASL "out of the box".  I would suggest
> the authentication defaults be relative secure, as in "noplain,noanonymous".
> This will force use of StartTLS to allow use of PLAIN/LOGIN mechanisms.

Works for me. I _have_ to keep OE5 working somehow until they start
supporting a better mechanism, _Then_ i can ditch LOGIN.

> >A make.conf knob to use a userinstalled library may create problems with
> >different versions of Cysus-SASL. I had some problems with that when
> >uppgrading my mailservers to Sendmail 8.10.
> I'd recommend bringing Cyrus-SASL into the base system eventually
> under the same rational used to bring OpenSSL in.

I agree.

> Kurt

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to