LMTP AUTH security exposure?
Vincent Fox
vbfox at ucdavis.edu
Wed Oct 10 16:30:34 EDT 2007
Ken Murchison wrote:
>
> You can set service-specific options, such as "lmtp_allowplaintext:
> yes". The service-specific prefix must match a service name in
> cyrus.conf.
>
That seems more than sufficient solution, thanks!
We set
allowplaintext: no
lmtp_allowplaintext: yes
It works like a charm. I sniffed and it looks like LMTP delivery
over TCP does a STARTTLS so we are covered from compromised
hosts picking the password out of the traffic.
Thanks!
More information about the Info-cyrus
mailing list