Tom Collins wrote:
On Sep 22, 2005, at 1:42 AM, John Simpson wrote:
if you're supporting AUTH, you really should use TLS as well.
otherwise you're allowing your users to send their passwords across
the internet in plain text- and all it takes is one spammer with a
packet sniffer to use your machine as a relay.
If you use CRAM-MD5 for the AUTH method, it's impossible to sniff the
cleartext password.
TLS is a good idea, but getting your users to enable it in their clients
can be a challenge. It's hard enough explaining how to enable SMTP AUTH!
Here's an idea, how about a Wiki page dedicated to instructions on
setting SMTP AUTH in various email clients? People could contribute by
taking screen shots of their setup, preferably with '[EMAIL PROTECTED]' or
some similar username.
A more ambitious project would be to use PHP and GD with the proper
fonts to automatically fill in the fields and generate a completely
custom "how to" page. Any ISP could use it, and make use of hidden
fields to enable/disable certain features (like 'user port 587 for
outbound smtp', 'enable TLS', 'use full email address as username', 'use
smtp.server.com for outbound email', etc.). The end user could enter
their name, email address and email client and get a one-page printout
instructing them on how to set everything up.
If screen shots were provided, any of the PDF generators for PHP could
provide a custom PDF file with ISP branding for downloading on demand.
Interesting Idea...... We are in the middle of moving our entire
operation, NOC and office. But afterwards maybe, would anyone be
interested in this if I did it?
DAve
--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/
You don't need a laptop to troubleshoot high-speed Internet: sniffter.com
