sasl auth LOGIN / PLAIN

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
mj
Reply | Threaded
Open this post in threaded view
|

sasl auth LOGIN / PLAIN

mj
Hi,

Just a small question: we currently use posfix with sasl authentication,
and folowing many docs, we have enabled PLAIN and LOGIN authentication.

However, googling leads me to believe that LOGIN is mostly used by
Outlook Express, and that most (or all?) modern clients support the
PLAIN mechanism.

I also noticed that most failed authentication attempts are done using
LOGIN.

Now, assuming that most of these failed authentications are simply
username/password guessing... how many problems would I expect, if I
simply only offer PLAIN mechanism?

It's hard to find info on what clients use what auth type. So, are
all/most modern clients capable of doing PLAIN? (thunderbird, outlook
2010/2013) so could I simply disallow LOGIN?

MJ
Reply | Threaded
Open this post in threaded view
|

Re: sasl auth LOGIN / PLAIN

postfix-5
On 09/01/2017 04:25 PM, mj wrote:

> Hi,
>
> Just a small question: we currently use posfix with sasl authentication,
> and folowing many docs, we have enabled PLAIN and LOGIN authentication.
>
> However, googling leads me to believe that LOGIN is mostly used by
> Outlook Express, and that most (or all?) modern clients support the
> PLAIN mechanism.
>
> I also noticed that most failed authentication attempts are done using
> LOGIN.
>
> Now, assuming that most of these failed authentications are simply
> username/password guessing... how many problems would I expect, if I
> simply only offer PLAIN mechanism?
>
> It's hard to find info on what clients use what auth type. So, are
> all/most modern clients capable of doing PLAIN? (thunderbird, outlook
> 2010/2013) so could I simply disallow LOGIN?
>
> MJ

As far as I know, outlook does only LOGIN, even: because of outlook the
LOGIN mechanism was introduced.

suomi
Reply | Threaded
Open this post in threaded view
|

Re: sasl auth LOGIN / PLAIN

Patrick Ben Koetter-2
* postfix <[hidden email]>:

> On 09/01/2017 04:25 PM, mj wrote:
> > Just a small question: we currently use posfix with sasl authentication,
> > and folowing many docs, we have enabled PLAIN and LOGIN authentication.
> >
> > However, googling leads me to believe that LOGIN is mostly used by
> > Outlook Express, and that most (or all?) modern clients support the
> > PLAIN mechanism.
> >
> > I also noticed that most failed authentication attempts are done using
> > LOGIN.
> >
> > Now, assuming that most of these failed authentications are simply
> > username/password guessing... how many problems would I expect, if I
> > simply only offer PLAIN mechanism?
> >
> > It's hard to find info on what clients use what auth type. So, are
> > all/most modern clients capable of doing PLAIN? (thunderbird, outlook
> > 2010/2013) so could I simply disallow LOGIN?

Thunderbird:
    PLAIN, DIGEST-MD5
Outlook 20**:
    LOGIN, NTLM

> As far as I know, outlook does only LOGIN, even: because of outlook the
> LOGIN mechanism was introduced.

That is correct.

p@rick

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
mj
Reply | Threaded
Open this post in threaded view
|

Re: sasl auth LOGIN / PLAIN

mj
Hi,

Ok, so disallowing LOGIN is not a clever move :-)

Thanks for your answers!

MJ

On 09/02/2017 08:32 AM, Patrick Ben Koetter wrote:

> * postfix <[hidden email]>:
>> On 09/01/2017 04:25 PM, mj wrote:
>>> Just a small question: we currently use posfix with sasl authentication,
>>> and folowing many docs, we have enabled PLAIN and LOGIN authentication.
>>>
>>> However, googling leads me to believe that LOGIN is mostly used by
>>> Outlook Express, and that most (or all?) modern clients support the
>>> PLAIN mechanism.
>>>
>>> I also noticed that most failed authentication attempts are done using
>>> LOGIN.
>>>
>>> Now, assuming that most of these failed authentications are simply
>>> username/password guessing... how many problems would I expect, if I
>>> simply only offer PLAIN mechanism?
>>>
>>> It's hard to find info on what clients use what auth type. So, are
>>> all/most modern clients capable of doing PLAIN? (thunderbird, outlook
>>> 2010/2013) so could I simply disallow LOGIN?
>
> Thunderbird:
>      PLAIN, DIGEST-MD5
> Outlook 20**:
>      LOGIN, NTLM
>
>> As far as I know, outlook does only LOGIN, even: because of outlook the
>> LOGIN mechanism was introduced.
>
> That is correct.
>
> p@rick
>
Reply | Threaded
Open this post in threaded view
|

Re: sasl auth LOGIN / PLAIN

Patrick Ben Koetter-2
* mj <[hidden email]>:
> Hi,
>
> Ok, so disallowing LOGIN is not a clever move :-)

Mandatory STARTTLS *and* disallowing any shared-secret mechanism (CRAM-MD5,
DIGEST-MD5, NTLM) is a clever move.

This way you protect the identity while it is transported from the client to
the server and you are able to store the passwords crypted.

p@rick




>
> Thanks for your answers!
>
> MJ
>
> On 09/02/2017 08:32 AM, Patrick Ben Koetter wrote:
> > * postfix <[hidden email]>:
> > > On 09/01/2017 04:25 PM, mj wrote:
> > > > Just a small question: we currently use posfix with sasl authentication,
> > > > and folowing many docs, we have enabled PLAIN and LOGIN authentication.
> > > >
> > > > However, googling leads me to believe that LOGIN is mostly used by
> > > > Outlook Express, and that most (or all?) modern clients support the
> > > > PLAIN mechanism.
> > > >
> > > > I also noticed that most failed authentication attempts are done using
> > > > LOGIN.
> > > >
> > > > Now, assuming that most of these failed authentications are simply
> > > > username/password guessing... how many problems would I expect, if I
> > > > simply only offer PLAIN mechanism?
> > > >
> > > > It's hard to find info on what clients use what auth type. So, are
> > > > all/most modern clients capable of doing PLAIN? (thunderbird, outlook
> > > > 2010/2013) so could I simply disallow LOGIN?
> >
> > Thunderbird:
> >      PLAIN, DIGEST-MD5
> > Outlook 20**:
> >      LOGIN, NTLM
> >
> > > As far as I know, outlook does only LOGIN, even: because of outlook the
> > > LOGIN mechanism was introduced.
> >
> > That is correct.
> >
> > p@rick
> >

--
[*] sys4 AG
 
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
 
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
 
mj
Reply | Threaded
Open this post in threaded view
|

Re: sasl auth LOGIN / PLAIN

mj


On 09/02/2017 01:16 PM, Patrick Ben Koetter wrote:
> Mandatory STARTTLS*and*  disallowing any shared-secret mechanism (CRAM-MD5,
> DIGEST-MD5, NTLM) is a clever move.
>
> This way you protect the identity while it is transported from the client to
> the server and you are able to store the passwords crypted.

Thank you, Patrick!