Paul Kölle wrote:
kashani wrote:
BTW I would not recommend using that how-to for the following reasons.
1. clear text passwords
Do you mean "clear text" in the DB or on the wire? If you want to avoid
the former you get the latter 'cause SASL shared secret mechs wouldn't
work anymore. So trust SSL or die and better have *real* certificates ;)
Ah, and have you configured postfix to actually deny PLAIN and LOGIN
without SSL? (smtpd_sasl_security_options = noanonymous noplaintext and
smtpd_sasl_tls_security_options =)
Any on the wire attack is going to include pop/imap/smtp as well. Either
you shove everything into TLS or you don't bother for any of these
services.
Regardless I prefer not to have everyone's clear text password laying in
a db somewhere.
Ramin
--
[email protected] mailing list
