Daniel, From: Daniel Senie <[EMAIL PROTECTED]> Subject: Re: APOP and POP over SSL for one particular user possible? Date: Fri, 27 Feb 2004 16:35:40 -0500
> >The only way I > >found to achieve my goal was to set clear-text-password parameter to > >'always' for pop3s (995/tcp) (I am using alternate-port > >mode). However, this in turn introduces security breach. I think most > >users won't connect to the server using 995/tcp without SSL, but > >there's no such guarantee. > When popper is set to alternate port mode, it will not accept commands in > clear text. Anything you send to port 995 will be expected to be encased in > TLS. No security hole. Thanks! I confirmed that you're right. Qpopper in alternate-port mode simply waits for a Client-Hello to be sent from the client to proceed. Therefore, it looks like there's no concern in using "clear-text-password = always" under alternate-port mode. Regards,
