[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [msmtp-users] GSSAPI, NTLM LOGIN ? problematic Re: GSSAPI error in client



Hi!

On Mon, 01 Dec 2014 12:55:44 +0000, rochet@...382... wrote:
> I do not know anything helpful about GSSAPI, but I wonder if you
> could add a few words to your statement of mailservers only
> supporting GSSAPI NTLM and LOGIN bein problematic.

GSSAPI is only usable in special situations (Kerberos setup).

Neither NTLM nor LOGIN are standardized; both are Microsoft extensions
and as such were never properly documented.
NTLM was at one day intended to be secure (in the sense that an
eavesdropper cannot steal the password even in the absence of TLS
encryption), but has long since been shown to be broken. LOGIN is as
simple as the standard PLAIN method and therefore trivial enough to
implement for everyone, but it is actually worse than PLAIN, since it
requires one additional round trip, so there really was no point in
"inventing" it.

If a server uses user/password authentication, then PLAIN is really the
only method that needs to be supported, since nowadays an SMTP session
should be protected by TLS encryption anyway.

If a server wants to offer an additional user/password authentication
scheme that does not reveal the password even in the absence of TLS
encryption, then it should offer the properly standardized
and documented SCRAM-SHA1. Disadvantage to PLAIN: the server must know
the clear text password; storing a hash is not enough. This means a
larger risk for attacks.

For the special case of authentication via TLS client certificates,
method EXTERNAL may be used.

These three methods are really the only useful ones now, as far as I
can see.

More information on all the different methods:
http://www.gnu.org/software/gsasl/manual/html_node/Mechanisms.html#Mechanisms

Regards,
Martin