[EMAIL PROTECTED] writes: > Unless I can use CRAM-MD5, it doesn't seem like a good idea -- it > seems to me that the whole point of using APOP is being defeated > (prevention of leakage of a secret in transit across a network) -- > especially if LOGIN or PLAIN must be used for SMTP AUTH. Does that > sound right?
True. Although the loss of an APOP "shared secret" is less damaging than losing your server password as in the case of regular pop3. If you are this concerned about security, you might be better off using one of the more secure authentication methods (/etc/tofmipd or imaps). BTW, do you allow only CRAM-MD5 on your network? This would prevent use of all Microsoft clients for example. > it isn't currently possible to use CRAM-MD5 w/ tmda-ofmipd+APOP. Is > that correct? If so, why might that be? Due to how CRAM-MD5 works (see rfc 2195). During SMTP auth, the client password is converted into a hexdigest before transmission. Thus, tmda-ofmipd never receives the password in clear text, and thus can't verify it against an external source like a pop3 server. However, given the username and a local password file (like /etc/tofmipd), tmda-ofmipd can lookup the users password, recalculate the hexdigest, and then compare that to the digest it received from the client. _________________________________________________ tmda-workers mailing list ([EMAIL PROTECTED]) http://tmda.net/lists/listinfo/tmda-workers
