Cyrus POP3 Issue

Rob Siemborski rjs3 at
Thu Mar 10 16:42:59 EST 2005

On Fri, 4 Mar 2005, Henrique de Moraes Holschuh wrote:

> On Thu, 03 Mar 2005, L. Mark Stone wrote:
>> The POP server component is giving us a problem.  It often fails to
>> respond to connection requests in a timely manner, if at all.  IMAP
> Disable APOP, or get SASL to use /dev/urandom like it should be doing in any
> sane distribution (SASL is not generating long-term keys which would be a
> good reason to use /dev/random).

Almost right.

SASL doesn't generate *keys* using this, it generates *nonces*, which are 
known to the attacker anyway, since they are transmitted in the clear 
anyway.  It just matters that they don't repeat often enough to bother 
precomputing values for.

If SASL was using this for key generation, then yes, most of the comments 
in this thread have merit.


(Hmmm, its possible that the SRP plugin is using this for something else, 
I'm not familiar enough with SRP and would have to ask Ken).

Rob Siemborski

Cyrus Home Page:
Cyrus Wiki/FAQ:
List Archives/Info:

More information about the Info-cyrus mailing list