Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] postfix with TLS/SASL on debian woody


David Fitch wrote:

As a matter of fact, CRAM-MD5, GSSAPI, and DIGEST-MD5 should'nt
be used at all in your case because you are already using TLS.
TLS and anyone of these are mutually exclusive. You use TLS
of one of this.


hmm dunno


TLS is needed to protect plain text messages sent and received
across a network. When using PLAIN text, TLS is a must as far
as I'm concerned.

There are many networks that use PLAIN text whithout security
protections. Check if your ISP provider provides email service
in PLAIN text authentication. Perhaps, they are using TLS or
perhaps not.

Anybody may use 'ethereal' or 'tcpdump' to sniff the messages
this days and AUTH PLAIN without TLS is a NONO.

CRAM-MD5(1), GSSAPI(2), and DIGEST-MD5(3) are encrypted messages
and not PLAIN text. Therefore, it is redundant to have TLS when the
messages is using one of the above. As a matter of fact, when
a client selects TLS it is not allowed to use (1), (2), or (3) by
most software.

For example, see 'Testing' in:

http://www.ofb.net/%7Ejheiss/krbldap/howto.html#ldapserv

So, why does SASL allow multiple 'AUTH' to be configured ?

The answer is SASL is a negotiation network protocol that lets
client and server selects a particular 'AUTH' to use in a
specific session. This means that SASL provides the selections
and mail-client decides what AUTH to use. This is why we
configure our mail-server in 'smtpd.conf' and our mail-client
software like 'thunderbird'.

E.g. I have a mail-server with several clients using heterogenous
mail-client softwares. I require a protocol that will allow my
mail-server to offer as many AUTH options to my clients.

Here is a list of mail-clients and their authentication protocols
capabilities:

http://www.melnikov.ca/mel/devel/SASL_ClientRef.html



O Plameras