LMTP AUTH security exposure?

Vincent Fox vbfox at ucdavis.edu
Wed Oct 10 16:30:34 EDT 2007


Ken Murchison wrote:
>
> You can set service-specific options, such as "lmtp_allowplaintext: 
> yes".  The service-specific prefix must match a service name in 
> cyrus.conf.
>
That seems more than sufficient solution, thanks!

We set
allowplaintext: no
lmtp_allowplaintext: yes

It works like a charm.   I sniffed and it looks like LMTP delivery
over TCP does a STARTTLS so we are covered from compromised
hosts picking the password out of the traffic.

Thanks!




More information about the Info-cyrus mailing list