On Fri, Feb 21, 2003 at 08:20:59AM +1300, Jason Haar wrote: > On Thu, Feb 20, 2003 at 10:36:47AM +0000, Brian Candler wrote: > > Pretty much, although there is a way to mitigate that: let a different box > > handle the SASL exchange for you. > > You mean if I compromise the Courier server and reconfigure it to use PLAIN > passwords, the client will notify the user that a configuration change has > occured, so that they don't send their password? > > I don't think so ;-)
Fair point I suppose, although the client has to take some responsibility for security. e.g. if when configuring the POP3 account I click "use SASL CRAM-MD5 authentication", then I should get a refusal or at least a warning if the server does not accept this method. Regards, Biran. ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
