Hello CEEJOE,
On Tuesday, December 31, 2002 at 5:14:29 PM you [C] wrote (at least in
part):
C> As you see, you dont get clear answers. That's so because this
C> issue is ______very_____fishy_____ (or shall I say "batty" ?) in
C> TheBat.
It ain't. And your mail additionally mixed up some things :-(
1.) The Bat! uses the authentication method it is configured to use.
2.) Exception was: it on SMTP-level "CRAM-MD5" was activated, but
_NOT_ enforced ("Require secure (MD5) authentication"
deacktivated) _AND_ the SMTP-server sent "AUTH CRAM-MD5" in it's
EHLO-greeting The Bat! tried to use CRAM-MD5 a second time even if
it failed in the first instance. It didn't fall back to "normal"
authentication. But as I wrote: only on SMTP-level.
This should be fixed, IIRC. I think I remember having read
something about this being fixed in a Beta-announcement.
3.) For POP retrieval The Bat! uses _exactly_ the configured
authentication method. As one can see: in cofiguration dialog
they're all _exclusive_, so if one checks "Regular" The Bat! does
not try to use CRAM-MD5. This is simple because POP3-servers don't
have a greeting that allows to figure out which authentication
methods are supported and The Bat! does not "wild guessing and
probing". It's up to the user to decide what should be taken, a
POP account could be locked on server side with to many "failed
logins" and a probing of The Bat! could trigger this error.
4.) SSL has _NOTHING_ to do with The Bat! set to a dedicated
authentication method.
(SSL) and (CRAM-MD5/APOP/Regular/Plain) are two different pairs of
shoes. SSL secures the _connection itself_ by encryption. This
encryption is applied to _ALL_ data exchanged in this session,
from a possible login until the "QUIT" command. The different
authentication methods only describe the way the authentication
data are sent: Regular/Plain authentication sends username and
password in plain text, while APOP and CRAM-MD5 encrypt the
password (plus username for CRAM-MD5) and _ONLY_ the password
(plus username for CRAM-MD5). The rest of communication, means:
mail retrieval or mail sendout, is done unencrypted.
5.) Yes, The Bat! is _not yet_ capable of using a SSL-secured
IMAP-connection, albeit configuration dialog pretends something
similar. If IMAP is selected and STARTTLS or TLS the latter is
simply ignored and the connection is done as if "Regular" for
"Connection" would have been chosen.
Hope this sorts the whole stuff out a little bit and a "Happy new
year" to all list members and all they know :-)
CYa next year :-)
Pit
--
Regards
Peter Palmreuther
(The Bat! v1.62 Beta/17 on Windows 2000 5.0 Build 2195 Service Pack 1)
"There is no statute of limitations on stupidity."
________________________________________________
Current version is 1.62 | "Using TBUDL" information:
http://www.silverstones.com/thebat/TBUDLInfo.html
