On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote:
Also, I'm fairly certain that CRAM-MD5 requires that you have clear-text
passwords enabled. I still need to look at my pop and smtp servers to see
how I can make them not advertise something that's not available on my

Really? That doesn't sound too secure, or even ethical.

CRAM-MD5 is more secure because someone sniffing the network can't derive the sender's password. With all other SMTP AUTH methods, you can easily decode sniffed packets to get the email address and password. The only way for CRAM-MD5 to work is for the server to know the user's cleartext password.

Granted, you need to make sure the cleartext password is stored securely...

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Reply via email to