Re: Suddenly unable to log into Exchange IMAP account



On 04/01/2009 10:32:24 PM, Simon Brown wrote:
On 01/04/09 20:58:31, Pawel Salek wrote:
> If you like, you can remove imap_auth_plain from
>
> static ImapAuthenticator imap_authenticators_arr[] = {
>   imap_auth_anonymous, /* will be tried only if enabled */
>   imap_auth_gssapi,
>   imap_auth_cram,
>   imap_auth_plain,
>   imap_auth_login, /* login is deprecated */
>   NULL
>;
>
> in libbalsa/imap/imap-auth.c and see what happens.
It successfully authenticates using LOGIN.

Now if I understand correctly using PLAIN and LOGIN isn't great, NTLM
also isn't great as it's a closed standard. GSSAPI doesn't seem to work
either but is supported in some way by both Exchange and Balsa. How
much work is required to bridge that gap? Or would I be buying a ticket
to a kicking?

Well, it's not all that bad. That's correct that PLAIN and LOGIN use essentially unencrypted passwords over the net. You have however protected the session with TLS encryption, and you should be perfectly safe as long as you verify the certificate. This is how I use balsa most. Other safe mode is GSSAPI but it stopped working for me since my university migrated from Cyrus IMAP to Exchange. I never had time and patience to debug the problem...

NTLM is formally a challenge-response type of authentication but the actual design is flawed and easy to break. CRAM-MD5 is also a challenge response type of authentication. There is also SKEY which is a kind of one-time password. I have yet to see a server supporting it. One can in principle authenticate IMAP using client SSL certificates - but we haven't got that implemented in balsa yet. It would fairly straightforward, though.

Pawel











[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]