On Thu, 9 Dec 2004 21:39:22 -0800, Tom Collins <[EMAIL PROTECTED]> wrote: > On Dec 9, 2004, at 3:20 PM, Pedro Pais wrote: > >> Also, I'm fairly certain that CRAM-MD5 requires that you have > >> clear-text > >> passwords enabled. I still need to look at my pop and smtp servers > >> to see > >> how I can make them not advertise something that's not available on my > >> system... > > > > Really? That doesn't sound too secure, or even ethical. > > CRAM-MD5 is more secure because someone sniffing the network can't > derive the sender's password. With all other SMTP AUTH methods, you > can easily decode sniffed packets to get the email address and > password. The only way for CRAM-MD5 to work is for the server to know > the user's cleartext password. > > Granted, you need to make sure the cleartext password is stored > securely... But why isn't the password stored in the passwd/mysql using CRAM-MD5 format? That way you could always check it. It wouldn't matter if the client authenticated using plain or using CRAM-MD5. You could even double cypher the password using mysql PASSWORD(). a) Client authenticates using plain username/password Create CRAM-MD5 from those tokens and check with the password stored. b) Client authenticates usign CRAM-MD5 username/password. Directly compare with the stored password.
Am I missing something important in here? > > -- > > > Tom Collins - [EMAIL PROTECTED] > QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ > Info on the Sniffter hand-held Network Tester: http://sniffter.com/ > > -- Pedro Pais Skype name: pedro.pais MSN: [EMAIL PROTECTED] Get Firefox! http://www.spreadfirefox.com/community/?q=affiliates&id=3759&t=1
