On Wednesday, June 25, 2008, 18:50:43, Matt wrote: > I have never heard of an authentication scheme that fails a protocol and > then tries something more secure instead. The only claim for the server > being involved is that it allows people to mistakenly use a less secure > means by misconfiguration.
Well yeah, that was my (apparently poorly stated) point when I said >> True but from the POV of the compliance auditor the account credentials >> were leaked because the server told the client that plain text was OK to >> use. > On our server where we host a very wide variety of users on a wide > variety of domains, I found the following results for today's SMTP AUTH > traffic: > 94.97% - Used AUTH LOGIN > 5.03% - Used CRAM-MD5 > > I'm guessing that Thunderbird defaults to CRAM-MD5, while most > everything else defaults to AUTH LOGIN. Which probably results in less support calls :-) > I have never seen a compliance company/auditor that doesn't say things > that are ridiculously alarmist _at best_. Although CYA is generally > practiced by those on the other side of things, that doesn't mean that > just because some automated tool said something that you must follow > their lead. The OP didn't say why he was trying to attain PCI compliance. If its a prerequisite for the ability to accept credit cards he might not have a choice. > If you have a single group of E-mail users it might be possible to > upgrade to IMail 9.21 to get this, but if this server handles multiple > domains and/or companies/groups, then it is not realistic to expect that > CRAM-MD5 is something that you want to force down their throats. Or setup one or more (perhaps new) server for those domains or companies that require it. > Some auditors would consider any non-VPN off-network access to a mail > server to be a security risk (and in some cases rightfully so), but I > don't see how this PCI thing is any more than minor point. I'm also > quite sure that this test pretty much assumes that you are using > Exchange/Groupwise/Notes as opposed to an open standards E-mail server. Since the OP didn't identify what company is doing the compliancy tests this is just speculation. I would hope that they don't assume anything and just run their tests against all the MX's defined as receiving e-mail for the domain. -- [EMAIL PROTECTED] "The avalanche has already started, it is too Rod Dorman late for the pebbles to vote." - Ambassador Kosh To Unsubscribe: http://imailserver.com/support/discussion_list/ List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://imailserver.com/support/kb.html
