[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] modernizing smtp message submission

From: Ken Hornstein
Subject: Re: [Nmh-workers] modernizing smtp message submission
Date: Wed, 09 Jul 2014 23:23:01 -0400

>With the rest of Lyndon's proposal in place, we wouldn't need
>the explicit -sasl -tls.  Very nice.

Thinking about it ... I realize I missed this part of his proposal.  I'm
not so sure I like the idea of defaulting to -sasl being on.  While the
traditional SASL mechanisms (CRAM-MD5, DIGEST-MD5, GSSAPI, etc) are
safe to send to an unknown/untrusted server, PLAIN is not; it sends the
password in the clear (well, it's base64 encoded for SMTP and you're
only supposed to use it over an encrypted channel, but you get the
idea).  If you do that with an untrusted server, boom, there goes your
password.  Maybe that's not a valid concern, but I'd rather require the
user to configure that.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]