Martin Lambers
Martin Lambers
> No with SCRAM the password is not saved into a database in clear. And it is not with PLAIN either! > * GNU SASL (gsasl) supports SCRAM-SHA-256(-PLUS) since 1.9.1:...
After receiving feedback on an article I wrote about my doubts about SCRAM, I changed my position. SCRAM is indeed useful. See [this update](https://marlam.de/msmtp/news/about-authentication-update/) for the reasons that changed my...
Thank you for this article Simon!
I am currently adding SCRAM-*-PLUS to msmtp (and later to mpop), using `gnutls_session_channel_binding()` to get the channel binding information, type EXPORTER for TLS 1.3 and UNIQUE for TLS
Thank you for this information, it helps. So in a first step, to not break existing setups, users of msmtp and mpop will have to manually select a SCRAM-* method...
Support for SCRAM-SHA-256-PLUS and SCRAM-SHA-1-PLUS is now in the git repository. This is tested so far against Exim via TLS 1.2 and TLS 1.3, but this basically tests a GnuTLS/GSASL...
The same code is now also in mpop for POP3. If you can test this, please do.
I have more questions about SCRAM... I was told that if a server stores the salted and hashed password, then stealing that allows impersonating the client, so it's no better...
I always thought that options to choose IPv4 vs IPv6 are just workarounds for broken network setups, because these things should be invisible to applications. And for workaround purposes, `source_ip`...
OK, thanks for your understanding, I will reject this PR now.