Charles Sprickman wrote:
So I have to choose: using a cryptography authentication method that's not safe or having the password being save as plain (wich is not safe either)?
You did not pointed how to do what I'm asking: is it possible to use CRAM-MD5 without clear passwords?
They don't have to sniff your LAN, they can sniff at the end-users side. You're probably using smtp-auth to provide roaming to travelling users, and there's a decent chance some of those are on "unfriendly" networks like wireless...
There's a simple workaround; use standard auth and in your setup guides show your users how to click the "Use SSL/TLS" option in their mail program. Then your login (and the contents of the message they are sending/receiving) is encrypted, and you can use an auth mechanism that does not require clear-text passwords.
It's not a workaround for me. I do not use TLS patch and I don't really want to encrypt messages. I just want to be sure that my users' password will not be acessible for anyone but themselves.
I don't really care if some user has his mail sniffed (if he thinks it's confidential, he should be responsible for encrypting it, so even when it's written to the storage system the message would still be encrypted). But I do care if some spammer sniffs him and starts getting relay to do spam trough my smtpd (smtp-auth).
-- Best regards, Eduardo M. Bragatto.