[Date Prev][Date Next]
Re: Forcing TLS encryption
----- Original Message -----
> From: "Philip Guenther" <firstname.lastname@example.org>
> To: "Wiebe Cazemier" <email@example.com>
> Cc: "Dieter KlÃnter" <firstname.lastname@example.org>, email@example.com
> Sent: Friday, 28 December, 2012 9:36:50 PM
> Subject: Re: Forcing TLS encryption
> On Fri, 28 Dec 2012, Wiebe Cazemier wrote:
> > I understand that, but this way, even when you're forcing TLS,
> > users can
> > still expose their passwords if their computers are mal-configured.
> > SMTP, IMAP, FTP, etc don't allow this, because they reject the
> > connection if LOGINNAME is given before STARTTLS.
> That is not true of SMTP's AUTH PLAIN, IMAP's AUTHENTICATE PLAIN, or
> IMAP's LOGIN. The PLAIN SASL mechanism and IMAP's LOGIN command both
> the username and password without waiting for a response from the
> > It's kind of a security issue. Is it because in LDAP, username and
> > password are given as one command, and the server doesn't have the
> > chance to abort at that point? If so, then I guess it's
> > unavoidable.
> Philip Guenther
> ** Well, to be completely accurate, IMAP AUTHENTICATE requires a
> response if the server doesn't support the SASL-IR capability
Then why is the LDAPS port deprecated? If the connection is SSL from the start, you don't have this issue.