[Oberon] Re: 2: Have we got email send authenticate ability ?
W B Hacker
wbh at conducive.org
Tue Feb 14 23:25:32 CET 2006
Roger Keller wrote:
>>IIRC, at least current versions of Lookout and OE both do plain,
>>SSL and/or TLS, and with plain or CRAM-MD5, and probably have
>>done for some years now. Not always 'correctly' in all respects.
> the client of course has to use an authentication method offered by the
> server. if the server only offers plain text auth, the client does not have
> any choice. and basically if the server was to offer tls secured
> communication, the authentication would then (usually) happen over the
> secure channel...
Not a lot of 'serious' servers these days that cannot offer
encrypted auth. The better ones take no other.
>>TLS, OTOH, does reveal some information 'en clair' during the
>>EHLO/HELO handshake before STARTTLS encryption is is set up. IF
>>it is even selected or 'fallback' denied so it is set up at all...
> usually the only two clear text commands when using tls are the EHLO and the
> STARTTLS commands ... so there's usually no information one would not give
> away anyway ...
"broken' clients and mis-configured MTA/MSA aside, yes -
'specially since one can restrict the banner and can EHLO as any
string... (by telnet, anyway - MUA's are another matter..)
But, whereas the old 'smpts' SSL-only forced an immediate
encrypted-or-fail situation, TLS (can) allow 'negotiating' a
plain session OR an encrypted one.
No problem if those who do configuration at both ends pay
attention, but a weak or misconfigurd MUA is easily capable of
shouting UID:PWD en clair - more than once - even if the MTA/MSA
will accept a 'plain' TLS sesson, but will not allow client auth
over such. Applies very much if the MUA has been pointed at port
25 instead of the submissions port.
Niggling detail, perhaps, but admins are human, defaults are
often unhelpful, and lusers setting up their own PC
'For want of a nail...'
More information about the Oberon