James Turnbull wrote:
I had a look at Qpsmtpd::Auth and note DIGEST-MD5 authentication isn't
available (I presume because of the tiny number of clients who support
it).
Yeah, not having any simple way to test it makes it kind of hard to
implement... ;-)
However, Thunderbird is apparently going to get DIGEST-MD5
authentication working. If they do we'd like to enable it for roving
users.
Why? Is there any evidence that CRAM-MD5 is insecure when used for
ESMTP AUTH? Just because TBird wants to support DIGEST-MD5, doesn't
mean we should leap to supporting it immediately. AFAIK, the following
quote from:
http://en.wikipedia.org/wiki/CRAM-MD5
is still valid:
In practice [CRAM-MD5 is] the only allowed and supported SASL-mechanism for
ESMTPA without Transport Layer Security (TLS).
Reading through RFC-2831, it is clear that DIGEST-MD5 has a much more
complicated implementation than CRAM-MD5, but it still requires the
password be maintained in cleartext on the server side AFAICT.
John
