OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: 2.3 and Dovecot SASL

From: Anthony Messina (amessinamessinet.com)
Date: Fri Apr 28 2006 - 14:27:33 CDT


Victor Duchovni wrote:
> On Fri, Apr 28, 2006 at 02:01:22PM -0500, Anthony Messina wrote:
>
>> i do understand that DIGEST and CRAM won't work this way, but since
>> neither of those are recommended over an unencrypted connection, you
>
> Do you have a reference for this? Are you conncerned about attacks that
> intercept, damage, and then replay the response in flight? SMTP over
> TLS in typical configurations is also vulnerable to man-in-the-middle
> attacks...
>
the pam_ldap module won't do digest or cram. so if Udo wanted to
maintain encrypted passwords in ldap while having single sign-on and not
having to have the password stored in two separate attribute/value pairs
in ldap, he could use tls with plain or login auth methods.

personally, no, i do not have any concerns about the types of attacks
you described. that risk may be near nill. and while tls is vulnerable
to man-in-the-middle attacks, it does offer the ability i suggested in
my first reply to the thread.

reference: /usr/share/doc/postfix-2.2.2/README_FILES/SASL_README

"IMPORTANT: all users must be able to authenticate using ALL
authentication mechanisms advertised by Postfix, otherwise the
negotiation might end up with an unsupported mechanism, and
authentication would fail. For example if you configure SASL to use
saslauthd for authentication against PAM (pluggable authentication
modules), only the PLAIN and LOGIN mechanisms are supported and stand a
chance to succeed, yet the SASL library would also advertise other
mechanisms, such as DIGEST-MD5. This happens because those mechanisms
are made available by other plugins, and the SASL library have no way to
know that your only valid authentication source is PAM. Thus you might
need to limit the list of mechanisms advertised by Postfix. This is only
possible with SASL version 2.1.1 or later"

--
Anthony

Website: http://messinet.com
Gallery: http://gallery.messinet.com/main.php?g2_itemId=34

GnuPG Key / Fingerprint:
0xB0014A4E / 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Registered Linux User #389089 - Get counted!: http://counter.li.org