At 11:04 AM 3/24/2006, you wrote:

I know that it was broken on one of our mail servers a few years ago (where it advertised it but then didn't authenticate properly) and we got <10% of users properly authenticating and >90% of them not (these are if I recall correctly and are of course rough numbers. The general observation I find is that most mail clients use as much of the protocol as they know.

So no claim/fact that's enough to go by, but pop RECORDIO on your pop or smtp server, and tail -F (capital to follow the file name itself) the current file and see how many of your authentications are mangled, be it by challenge-response or that are short and plain text. There may be more recognizable sections to look at.

i don't use smtp auth, so i wouldn't know. i thought you were claiming that most providers these days are doing smtp auth. we still do pop before smtp - it works, it's reliable, it's simple, it's low overhead. if someone believes their email is important enough that someone would want to sniff the line to get it, then they should be using PGP or some other means of making the actual content secure.

in my opinion, of course.

Paul Theodoropoulos

Reply via email to