questions on setting up a mail server

[Jonathan McKeown]

On Wednesday 05 September 2007 12:46, Jim Stapleton wrote:
> > All the authentication options you mention after plain text (which is the
> > standard method built in to the protocol) require Cyrus SASL. This isn't
> > as scary to set up as the docs make it sound. PLAIN and LOGIN can both
> > use your existing user passwords (which is what I do). GSSAPI requires
> > Kerberos, and the digest methods (the -MD5 ones) need a separate file of
> > passwords held in plain text - the sasldb. Of the passwd-based methods,
> > PLAIN is the preferred protocol according to the docs and RFCs - LOGIN is
> > the one Microsoft uses (go figure).
>
> Thanks, that's almost all of what I needed there. You insinuated (but
> I don't think explicitly stated) that LOGIN is in fact encrypted in
> some form?

No, it's just obfuscated. Both PLAIN and LOGIN send the username and password 
base64-encoded, which doesn't provide any security - it just protects the 
mailserver from funny characters in passwords.

The only difference between PLAIN and LOGIN is that PLAIN combines the 
username and password into a single string and sends that, whereas LOGIN 
waits for a prompt, sends the username, waits for another prompt and sends 
the password.

If you enable the option to prevent plaintext methods except under a security 
layer, both methods will be disabled.

If you do decide to use cyrus, there's a useful tool called imtest which 
connects to the server, negotiates a TLS connection and lets you type IMAP 
commands at it. You can see the actual exchange of authentication details, 
and you can use openssl base64 -d to decode the base64 string to see what's 
sent (man enc for details).

You can also test a secured connection using openssl s_client, which has an 
option for doing STARTTLS against smtp and pop3 servers (man s_client for 
details).

Jonathan