38 messages in net.sourceforge.lists.courier-usersRe: CRAM-SHA1 sucks. was: [courier-u...
FromSent OnAttachments
Bill LongFeb 18, 2003 10:36 pm 
Gordon MessmerFeb 18, 2003 11:32 pm 
Bill LongFeb 19, 2003 12:00 am 
Matt PavlovichFeb 19, 2003 8:29 am 
Brian CandlerFeb 19, 2003 12:40 pm 
Matt PavlovichFeb 19, 2003 12:58 pm 
Brian CandlerFeb 19, 2003 1:41 pm 
Matt PavlovichFeb 19, 2003 2:22 pm 
Sam VarshavchikFeb 19, 2003 3:03 pm 
Sam VarshavchikFeb 19, 2003 3:05 pm 
Brian CandlerFeb 19, 2003 3:06 pm 
Brian CandlerFeb 19, 2003 3:27 pm 
Gordon MessmerFeb 19, 2003 4:09 pm 
Kurt BiglerFeb 19, 2003 4:18 pm 
Gordon MessmerFeb 19, 2003 4:37 pm 
Jeff PotterFeb 19, 2003 5:35 pm 
Jason HaarFeb 19, 2003 6:16 pm 
John RuddFeb 19, 2003 9:54 pm 
Gordon MessmerFeb 19, 2003 11:18 pm 
John RuddFeb 20, 2003 12:15 am 
John RuddFeb 20, 2003 1:06 am 
Brian CandlerFeb 20, 2003 2:27 am 
Brian CandlerFeb 20, 2003 2:37 am 
Brian CandlerFeb 20, 2003 5:01 am 
Brian CandlerFeb 20, 2003 5:13 am 
John RuddFeb 20, 2003 5:56 am 
John RuddFeb 20, 2003 6:13 am 
John RuddFeb 20, 2003 6:17 am 
Brian CandlerFeb 20, 2003 7:23 am 
Gordon MessmerFeb 20, 2003 7:51 am 
Matt PavlovichFeb 20, 2003 8:53 am 
Gordon MessmerFeb 20, 2003 9:09 am 
Eduardo RoldanFeb 20, 2003 10:28 am 
Jason HaarFeb 20, 2003 11:21 am 
Patrik NilssonFeb 20, 2003 2:10 pm 
Brian CandlerFeb 20, 2003 2:14 pm 
Sam VarshavchikFeb 20, 2003 3:06 pm 
Sam VarshavchikFeb 20, 2003 3:08 pm 
Actions with this message:
Paste this link in email or IM:
Paste this link in email or IM:
Atom feed for this thread
Paste this URL into your reader:
Subject:Re: CRAM-SHA1 sucks. was: [courier-users] ESMTP Auth and LDAP problemsActions...
From:Brian Candler (B.Ca@pobox.com)
Date:Feb 20, 2003 2:14:51 pm
List:net.sourceforge.lists.courier-users

On Fri, Feb 21, 2003 at 08:20:59AM +1300, Jason Haar wrote:

On Thu, Feb 20, 2003 at 10:36:47AM +0000, Brian Candler wrote:

Pretty much, although there is a way to mitigate that: let a different box handle the SASL exchange for you.

You mean if I compromise the Courier server and reconfigure it to use PLAIN passwords, the client will notify the user that a configuration change has occured, so that they don't send their password?

I don't think so ;-)

Fair point I suppose, although the client has to take some responsibility for security.

e.g. if when configuring the POP3 account I click "use SASL CRAM-MD5 authentication", then I should get a refusal or at least a warning if the server does not accept this method.

Regards,

Biran.