On Wed, Oct 16, 2002 at 12:10:05AM -0400, Jaldhar H. Vyas wrote: > > > Following the upstream practice which is based on an IESG recommendation, > > > plaintext logins will be disabled on non-SSL/TLS connections. If you > > > absolutely don't want to use SSL or TLS for some reason, your only > > > alternatives are to use CRAM-MD5 (See /usr/share/doc/libc-client2002/md5.txt) > > > or Kerberos or to recompile the package. > > Recommended or not, this is a substantial change that will break a lot > > of clients of existing systems. There *are* still POP clients in use > > that support neither SASL nor SSL. Likewise, a client that refused to > > negotiate plaintext would fail with some servers. Is it possible to > > re-enable plaintext logins at runtime, or is this setting hard-coded > > into the binaries? > upstream doesn't believe in runtime configuration! One more reason for me to stop using their IMAP server, then. > > Since most SSL-enabled POP servers don't have a certificate issued by a > > recognized CA, tunneling plaintext passwords over SSL provides only > > minimal protection against a dedicated attacker compared to sending > > plaintext passwords in the clear. > You know more about this than I do. But I have to choose one or the other > or maintain two sets of packages which I don't want to do. > And minimal protection is better than none right? Not when it's associated with buzzwords that make people think they're getting much more. SASL provides real protection of your passwords; SSL does not. Steve Langasek postmodern programmer
Attachment:
pgpjodvZBp8p9.pgp
Description: PGP signature