[Oberon] Re: 2: Have we got email send authenticate ability ?

[W B Hacker]

Roger Keller wrote:

>>IIRC, at least current versions of Lookout and OE both do plain, 
>>SSL and/or TLS, and with plain or CRAM-MD5, and probably have 
>>done for some years now. Not always 'correctly' in all respects.
> 
> 
> the client of course has to use an authentication method offered by the
> server. if the server only offers plain text auth, the client does not have
> any choice. and basically if the server was to offer tls secured
> communication, the authentication would then (usually) happen over the
> secure channel...
>


Not a lot of 'serious' servers these days that cannot offer 
encrypted auth. The better ones take no other.

> 
>>TLS, OTOH, does reveal some information 'en clair' during the 
>>EHLO/HELO handshake before STARTTLS encryption is is set up.  IF 
>>it is even selected or 'fallback' denied so it is set up at all...
> 
> 
> usually the only two clear text commands when using tls are the EHLO and the
> STARTTLS commands ... so there's usually no information one would not give
> away anyway ...
> 
> --roger
> 

"broken' clients and mis-configured MTA/MSA aside, yes -

'specially since one can restrict the banner and can EHLO as any 
string... (by telnet, anyway  - MUA's are another matter..)

But, whereas the old 'smpts' SSL-only forced an immediate 
encrypted-or-fail situation, TLS (can) allow 'negotiating' a 
plain session OR an encrypted one.

No problem if those who do configuration at both ends pay 
attention, but a weak or misconfigurd MUA is easily capable of 
shouting UID:PWD en clair - more than once - even if the MTA/MSA 
will accept a 'plain' TLS sesson, but will not allow client auth 
over such. Applies very much if the MUA has been pointed at port 
25 instead of the submissions port.

Niggling detail, perhaps, but admins are human, defaults are 
often unhelpful, and lusers setting up their own PC 
unpredictable, so

'For want of a nail...'

Bill