At 11:04 AM 3/24/2006, you wrote:
I know that it was broken on one of our mail servers a few years ago
(where it advertised it but then didn't authenticate properly) and
we got <10% of users properly authenticating and >90% of them not
(these are if I recall correctly and are of course rough
numbers. The general observation I find is that most mail clients
use as much of the protocol as they know.
So no claim/fact that's enough to go by, but pop RECORDIO on your
pop or smtp server, and tail -F (capital to follow the file name
itself) the current file and see how many of your authentications
are mangled, be it by challenge-response or that are short and plain
text. There may be more recognizable sections to look at.
i don't use smtp auth, so i wouldn't know. i thought you were
claiming that most providers these days are doing smtp auth. we still
do pop before smtp - it works, it's reliable, it's simple, it's low
overhead. if someone believes their email is important enough that
someone would want to sniff the line to get it, then they should be
using PGP or some other means of making the actual content secure.
in my opinion, of course.
Paul Theodoropoulos
http://www.anastrophe.com
http://www.smileglobal.com
http://www.forumgarden.com