Hi, From: "Jason R. Mastaler" <[EMAIL PROTECTED]> Subject: Re: tmda-ofmipd: patch for imap[s] and pop3 remote auth Date: Tue, 03 Sep 2002 21:17:16 -0600
> A normal use of APOP is say between an MUA like Eudora, and a pop3 > server. The user enters his username and shared secret into his > Eudora configuration. When he retrieves his incoming mail, Eudora > handles the APOP negotiation with the server. The user need not be > concerned with these details. Right? Yes. > tmda-ofmipd is substituted for Eudora in this equation. You would > use your APOP username and shared secret as the username/password in > the SMTP authentication configuration of whatever MUA you are using. > When that MUA connects to tmda-ofmipd, it uses the username and shared > secret to authenticate. Once tmda-ofmipd has these pieces, it will > connect to the pop3 server and perform APOP authentication to verify > them. Ok, this sounds a bit like something I wrote earlier: I suppose an alternative might be for the user's client to send the password in plaintext to tmda-ofmipd and for tmda-ofmipd to compute the hashed value Unless I can use CRAM-MD5, it doesn't seem like a good idea -- it seems to me that the whole point of using APOP is being defeated (prevention of leakage of a secret in transit across a network) -- especially if LOGIN or PLAIN must be used for SMTP AUTH. Does that sound right? It sounds like from what you say: > Start tmda-ofmipd with something like: > > # tmda-ofmipd -d -R apop://acl.lanl.gov > > In your MUA, remember that you have to use either LOGIN or PLAIN (not > CRAM-MD5) for the SMTP auth method. For your SMTP auth username, > enter your APOP username, and for your SMTP auth password, enter your > APOP shared secret phrase. it isn't currently possible to use CRAM-MD5 w/ tmda-ofmipd+APOP. Is that correct? If so, why might that be? It's not that the shared secret is stored as a "context", is it? It seems to me that from a theoretical point-of-view, it should be possible... _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
