Re: Suddenly unable to log into Exchange IMAP account

[Pawel Salek <pawsa0 gmail com>]

On 04/01/2009 10:32:24 PM, Simon Brown wrote:
> On 01/04/09 20:58:31, Pawel Salek wrote:
> > If you like, you can remove imap_auth_plain from
> >
> > static ImapAuthenticator imap_authenticators_arr[] = {
> >   imap_auth_anonymous, /* will be tried only if enabled */
> >   imap_auth_gssapi,
> >   imap_auth_cram,
> >   imap_auth_plain,
> >   imap_auth_login, /* login is deprecated */
> >   NULL
> >;
> >
> > in libbalsa/imap/imap-auth.c and see what happens.
> It successfully authenticates using LOGIN.
>
> Now if I understand correctly using PLAIN and LOGIN isn't great, NTLM
> also isn't great as it's a closed standard. GSSAPI doesn't seem to  
> work
> either but is supported in some way by both Exchange and Balsa. How
> much work is required to bridge that gap? Or would I be buying a  
> ticket
> to a kicking?

Well, it's not all that bad. That's correct that PLAIN and LOGIN use  
essentially unencrypted passwords over the net. You have however  
protected the session with TLS encryption, and you should be perfectly  
safe as long as you verify the certificate. This is how I use balsa  
most. Other safe mode is GSSAPI but it stopped working for me since my  
university migrated from Cyrus IMAP to Exchange. I never had time and  
patience to debug the problem...

NTLM is formally a challenge-response type of authentication but the  
actual design is flawed and easy to break. CRAM-MD5 is also a challenge  
response type of authentication. There is also SKEY which is a kind of  
one-time password. I have yet to see a server supporting it. One can in  
principle authenticate IMAP using client SSL certificates - but we  
haven't got that implemented in balsa yet. It would fairly  
straightforward, though.

Pawel