questions on setting up a mail server
Jonathan McKeown
jonathan+freebsd-questions at hst.org.za
Wed Sep 5 04:34:10 PDT 2007
On Wednesday 05 September 2007 12:46, Jim Stapleton wrote:
> > All the authentication options you mention after plain text (which is the
> > standard method built in to the protocol) require Cyrus SASL. This isn't
> > as scary to set up as the docs make it sound. PLAIN and LOGIN can both
> > use your existing user passwords (which is what I do). GSSAPI requires
> > Kerberos, and the digest methods (the -MD5 ones) need a separate file of
> > passwords held in plain text - the sasldb. Of the passwd-based methods,
> > PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is
> > the one Microsoft uses (go figure).
>
> Thanks, that's almost all of what I needed there. You insinuated (but
> I don't think explicitly stated) that LOGIN is in fact encrypted in
> some form?
No, it's just obfuscated. Both PLAIN and LOGIN send the username and password
base64-encoded, which doesn't provide any security - it just protects the
mailserver from funny characters in passwords.
The only difference between PLAIN and LOGIN is that PLAIN combines the
username and password into a single string and sends that, whereas LOGIN
waits for a prompt, sends the username, waits for another prompt and sends
the password.
If you enable the option to prevent plaintext methods except under a security
layer, both methods will be disabled.
If you do decide to use cyrus, there's a useful tool called imtest which
connects to the server, negotiates a TLS connection and lets you type IMAP
commands at it. You can see the actual exchange of authentication details,
and you can use openssl base64 -d to decode the base64 string to see what's
sent (man enc for details).
You can also test a secured connection using openssl s_client, which has an
option for doing STARTTLS against smtp and pop3 servers (man s_client for
details).
Jonathan
More information about the freebsd-questions
mailing list