As both a system administer and a PowerMail user, I am at a cross roads with PowerMail.
I have used PowerMail for over four years, purchasing upgrades as those have come up. I like it a lot. I have been pleased with the advances that PowerMail has made (the search engine and html rendering upgrades) and I like that PowerMail allows me to use plain text as my default for sending and receiving. However, as a system administrator, concerned about the security of my mail server, I am at my wits end with the how PowerMail handles Password Authentication of SMTP and SSL SMTP. Since most of my mail server users have laptops and they connect from a broad array of networks, I cannot nail down SMTP relay to just specific networks. I need to rely on Authenticated SMTP. PowerMail supports this, but only using unsecured, clear text passwords. This means that I must allow my users to send their system passwords over the network in the clear if they want to use PowerMail as their mail client. We have completely blocked all FTP traffic on our networks because of the clear-text password problem inherent with FTP. If PowerMail supported CRAM-MD5 and/or Kerberos, it would be an acceptable mail client. However, I could get over the clear text SMTP password authentication if only the SSL support was not limited to SSL on a separate port. I run OS X Server 10.3.6 on my mail server and have it configured for SSL on SMTP, POP, and IMAP. However, OS X Server 10.3.x and above support SSL on port 25 using the STARTTLS command. This means that my PowerMail users can encrypt the whole transaction including the password the send to retrieve mail from my POP and IMAP server, BUT they have to send their password in the clear when they send mail. The Sys Admin side of me wants to ban the use of PowerMail (until it can support either encrypted SMTP passwords or SSL SMTP using STARTTLS on port 25). The PowerMail side of me wants to give a blind eye to this security breach. I have over a gig of compressed mail messages in my current account, and have archived another gig. I love how fast I can search on my mail to find relevant messages. PowerMail Engineering, PLEASE help me out. I am guessing that updating the code to allow SSL SMTP using STARTTLS on port 25 is the easier of the two paths to being a good security player. It would also encrypt the whole SMTP transaction. It would also be my preference, but I would happily take CRAM-MD5 support on the password. Please Make PowerMail a good security player before I am forced to move on to another, more secure mail client! Sincerely, Robert Snyder PowerMail User and System Administrator ____________________________________________ Robert Snyder, Director World Campus Data Management Services The Pennsylvania State University 105 Mitchell Building University Park PA 16802 Phone: 814-865-0912 Fax: 814-865-4406 E-mail: [EMAIL PROTECTED] URL: http://www.worldcampus.psu.edu
