If you use the AUTH command on an normal connection to the server, your user name and password would be sent in plain text. A malicious person with a packet sniffer would be able to capture the authentication details en route.
I was hoping there would be a way to improve the security of people logging into the server. That if they connected with an unencrypted session, they would be restricted to more secure logins protocols (possible limit it to cram-md5?) or disconnected with an error "534 Authentication mechanism is too weak" or "538 Encryption required for requested authentication mechanism" (as mentioned in RFC2554, I think). If they connected via an encrypted session they could be presented with a the full set of protocols supported? Davide Libenzi wrote: > On Mon, 15 Jan 2007, Vinny Wadding wrote: > > >> I am currently running XMail 1.23 and have started reading the >> documentation for 1.24 and I had a question that I haven't come across >> the answer to yet. >> >> Is there a way in XMail to stop it advertising SMTP AUTH unless the >> connection is encrypted? I don't want it to be available on a normal >> connection (and obviously not to impair xmail delivery to local domains). >> > > No. I'm missing the logic behind it though. Please explain ... > > > > - Davide > > > - > To unsubscribe from this list: send the line "unsubscribe xmail" in > the body of a message to [EMAIL PROTECTED] > For general help: send the line "help" in the body of a message to > [EMAIL PROTECTED] > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
