Rod,
I have never heard of an authentication scheme that fails a protocol and
then tries something more secure instead. The only claim for the server
being involved is that it allows people to mistakenly use a less secure
means by misconfiguration.
On our server where we host a very wide variety of users on a wide
variety of domains, I found the following results for today's SMTP AUTH
traffic:
94.97% - Used AUTH LOGIN
5.03% - Used CRAM-MD5
I'm guessing that Thunderbird defaults to CRAM-MD5, while most
everything else defaults to AUTH LOGIN.
I have never seen a compliance company/auditor that doesn't say things
that are ridiculously alarmist _at best_. Although CYA is generally
practiced by those on the other side of things, that doesn't mean that
just because some automated tool said something that you must follow
their lead.
If you have a single group of E-mail users it might be possible to
upgrade to IMail 9.21 to get this, but if this server handles multiple
domains and/or companies/groups, then it is not realistic to expect that
CRAM-MD5 is something that you want to force down their throats.
Some auditors would consider any non-VPN off-network access to a mail
server to be a security risk (and in some cases rightfully so), but I
don't see how this PCI thing is any more than minor point. I'm also
quite sure that this test pretty much assumes that you are using
Exchange/Groupwise/Notes as opposed to an open standards E-mail server.
Matt
Rod Dorman wrote:
On Wednesday, June 25, 2008, 14:52:08, Matt wrote:
You can't require it with your version. You need to upgrade and then
hack the registry if you want to do this:
http://support.ipswitch.com/kb/IM-20071231-JH01.htm
The real issue however is when an E-mail client sends in plain-text.
Just because you accept plain-text authentication doesn't mean that
anyone is using it. If they use it, it isn't your server leaking this
data, it is the E-mail client.
True but from the POV of the compliance auditor the account credentials
were leaked because the server told the client that plain text was OK to
use.
These compliance companies sometimes assume things like that everyone is
using Exchange and not a standards-compliant E-mail server.
I don't think they really care if its Exchange or not, they simply want
him to
"Disable the plaintext authentication methods on your SMTP server ..."
Your link above corrects the issue.
Then its simply a matter of telling all your users that if they want
your server to relay their mail to external servers they must use an
e-mail client that can do secure authentication.
