[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Plaintext passwords IMAP please!

> SuSE should not be in the business of telling sysadmins what is, and what is not
> acceptable.  Better default options are always preferrable, but to tell the
> sysadmin "you can't do this" is wrong.  SuSE should be in the business of
> empowering the sysadmins, not making their lives more difficult.
> In most situations, yes, IMAP should have ssl, and that should definately be the
> default setting.  However, there are situations where it is less than optimal,
> and thus it should be config option, not compile-time option.

In fairness to SuSE, the decison to change the default behavior of the UW
Imap daemon was made by the program authors at UW. SuSE could have done a
better job notifying people there was a significant change in the default
behavior and that it would break all webmail clients.

As for the Outlook Express imap problem...it has been known for some time
that Microsoft's implementation of imap is badly broken. It has handshake
timing issues which prevent reliable connections. MS has known about
this for a long time and seems uninterested in fixing it. Entourage on the
Mac side suffers from similar handshake problems. Adding ssl to the
handshake seems to make the problems worse.


Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here