* Carson Gaspar <carson@xxxxxxxxxx>: > On 11/30/2011 4:18 PM, Howard Chu wrote: > >>>On 30/11/11 11:16 +0100, Christian Roessner wrote: > > >>>>cmusaslsecretCRAM-MD5 > >>>>cmusaslsecretDIGEST-MD5 and > >>>>cmusaslsecretNTLM > > >As I recall these are all plaintext-equivalents; i.e. there is no > >security benefit from using these pre-hashed values, so they've been > >deprecated already. The plugins will retrieve and use them if they're > >present, but nothing creates them. > > They are _not_ plaintext equivalents. They are realm-limited, so > compromise is limited to just the set of services sharing that realm > (in many cases a single service). i.e. they don't let me use your > password to log in to gmail, or get a shell on your box. > > The fact that the cyrus folks decided to deprecate these in favor of Are they really deprecated? Because if they are its no use to document them which is something I am working on. p@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
