With the rest of Lyndon's proposal in place, we wouldn't need
the explicit -sasl -tls. Very nice.
Thinking about it ... I realize I missed this part of his proposal. I'm
not so sure I like the idea of defaulting to -sasl being on. While the
traditional SASL mechanisms (CRAM-MD5, DIGEST-MD5, GSSAPI, etc) are
safe to send to an unknown/untrusted server, PLAIN is not; it sends the
password in the clear (well, it's base64 encoded for SMTP and you're
only supposed to use it over an encrypted channel, but you get the
idea). If you do that with an untrusted server, boom, there goes your
password. Maybe that's not a valid concern, but I'd rather require the
user to configure that.
--Ken
_______________________________________________
Nmh-workers mailing list
Nmh-workers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/nmh-workers