[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] modernizing smtp message submission
|
From: |
Ken Hornstein |
|
Subject: |
Re: [Nmh-workers] modernizing smtp message submission |
|
Date: |
Wed, 09 Jul 2014 23:23:01 -0400 |
>With the rest of Lyndon's proposal in place, we wouldn't need
>the explicit -sasl -tls. Very nice.
Thinking about it ... I realize I missed this part of his proposal. I'm
not so sure I like the idea of defaulting to -sasl being on. While the
traditional SASL mechanisms (CRAM-MD5, DIGEST-MD5, GSSAPI, etc) are
safe to send to an unknown/untrusted server, PLAIN is not; it sends the
password in the clear (well, it's base64 encoded for SMTP and you're
only supposed to use it over an encrypted channel, but you get the
idea). If you do that with an untrusted server, boom, there goes your
password. Maybe that's not a valid concern, but I'd rather require the
user to configure that.
--Ken
- Re: [Nmh-workers] modernizing smtp message submission, (continued)
Re: [Nmh-workers] modernizing smtp message submission, David Levine, 2014/07/07
Re: [Nmh-workers] modernizing smtp message submission, bergman, 2014/07/08
Re: [Nmh-workers] modernizing smtp message submission, David Levine, 2014/07/08
Re: [Nmh-workers] modernizing smtp message submission, David Levine, 2014/07/08
Re: [Nmh-workers] modernizing smtp message submission, Bob Carragher, 2014/07/09
Re: [Nmh-workers] modernizing smtp message submission, David Levine, 2014/07/09
- Re: [Nmh-workers] modernizing smtp message submission,
Ken Hornstein <=
Re: [Nmh-workers] modernizing smtp message submission, David Levine, 2014/07/09