* mj <[email protected]>: > Hi, > > Ok, so disallowing LOGIN is not a clever move :-)
Mandatory STARTTLS *and* disallowing any shared-secret mechanism (CRAM-MD5, DIGEST-MD5, NTLM) is a clever move. This way you protect the identity while it is transported from the client to the server and you are able to store the passwords crypted. p@rick > > Thanks for your answers! > > MJ > > On 09/02/2017 08:32 AM, Patrick Ben Koetter wrote: > > * postfix <[email protected]>: > > > On 09/01/2017 04:25 PM, mj wrote: > > > > Just a small question: we currently use posfix with sasl authentication, > > > > and folowing many docs, we have enabled PLAIN and LOGIN authentication. > > > > > > > > However, googling leads me to believe that LOGIN is mostly used by > > > > Outlook Express, and that most (or all?) modern clients support the > > > > PLAIN mechanism. > > > > > > > > I also noticed that most failed authentication attempts are done using > > > > LOGIN. > > > > > > > > Now, assuming that most of these failed authentications are simply > > > > username/password guessing... how many problems would I expect, if I > > > > simply only offer PLAIN mechanism? > > > > > > > > It's hard to find info on what clients use what auth type. So, are > > > > all/most modern clients capable of doing PLAIN? (thunderbird, outlook > > > > 2010/2013) so could I simply disallow LOGIN? > > > > Thunderbird: > > PLAIN, DIGEST-MD5 > > Outlook 20**: > > LOGIN, NTLM > > > > > As far as I know, outlook does only LOGIN, even: because of outlook the > > > LOGIN mechanism was introduced. > > > > That is correct. > > > > p@rick > > -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein
