[Please cc: replies to me, as I am not subscribed to the list.]
When I force CRAM-MD5 for a POP3 connection, fetchmail is sending the
username and password unencrypted. When I don't force it, though,
CRAM-MD5 is used.
Operating System: Debian GNU/Linux Unstable i386
Using official 'fetchmail' deb, version 5.9.6-2
fetchmail -V:
This is fetchmail release 5.9.6+NTLM+SDPS+NLS
Linux bok.har 2.4.16 #1 Sun Dec 2 19:30:37 PST 2001 i686 unknown
Taking options from command line and /home/daniel/.fetchmailrc
Idfile is /home/daniel/.fetchids
Fetchmail will forward misaddressed multidrop messages to daniel.
Options for retrieving from erat(_at_)dungeonfyre(_dot_)com:
True name of server is dungeonfyre.com.
Protocol is POP3.
CRAM-Md5 authentication will be forced.
Server nonresponse timeout is 300 seconds (default).
Default mailbox selected.
Only new messages will be retrieved (--all off).
Fetched messages will not be kept on the server (--keep off).
Old messages will not be flushed before message retrieval (--flush off).
Rewrite of server-local addresses is enabled (--norewrite off).
Carriage-return stripping is disabled (stripcr off).
Carriage-return forcing is disabled (forcecr off).
Interpretation of Content-Transfer-Encoding is enabled (pass8bits off).
MIME decoding is disabled (mimedecode off).
Idle after poll is disabled (idle off).
Nonempty Status lines will be kept (dropstatus off)
Delivered-To lines will be kept (dropdelivered off)
Messages will be SMTP-forwarded to: localhost (default)
Recognized listener spam block responses are: 571 550 501 554
Single-drop mode: 1 local name(s) recognized.
No UIDs saved from this host.
When I run "fetchmail -v", I get the following output:
fetchmail: 5.9.6 querying dungeonfyre.com (protocol POP3) at Mon Feb
4 16:54:47 2002: poll started
fetchmail: POP3< +OK X1 NT-POP3 Server
<476(_dot_)1012870252785(_at_)dungeonfyre(_dot_)com> (IMail 6.06 6252-1)
fetchmail: POP3> USER erat
fetchmail: POP3< +OK welcome
fetchmail: POP3> PASS *
...
Using a port sniffer confirms that the password is being sent
unencrypted. Removing "auth cram-md5" from the entry in .fetchmailrc
results in the following output from "fetchmail -v":
fetchmail: 5.9.6 querying dungeonfyre.com (protocol POP3) at Mon Feb 4 16:56:17
2002: poll started
fetchmail: POP3< +OK X1 NT-POP3 Server
<1508(_dot_)1012870342784(_at_)dungeonfyre(_dot_)com> (IMail 6.06 6256-1)
fetchmail: POP3> CAPA
fetchmail: POP3< +OK Capability list follows
fetchmail: POP3< TOP
fetchmail: POP3< USER
fetchmail: POP3< SASL LOGIN PLAIN CRAM-MD5
fetchmail: POP3< RESP-CODES
fetchmail: POP3< LOGIN-DELAY 120
fetchmail: POP3< PIPELINING
fetchmail: POP3< EXPIRE 30 USER
fetchmail: POP3< UIDL
fetchmail: POP3< IMPLEMENTATION Ipswitch_IMail_5.0
fetchmail: POP3< .
fetchmail: POP3> AUTH CRAM-MD5
fetchmail: POP3< + PDE5NjIxLjIzNDgwMDAxNEB3ZWJieT4=
fetchmail: POP3> [encrypted response]
fetchmail: POP3< +OK maildrop locked and ready
...
It seems odd that CRAM-MD5 is only used when I _don't_ force it. When
I use IMAP instead of POP3, the "auth cram-md5" option functions as
expected -- CRAM-MD5 is used both when forced, and by default.
Thanks,
Daniel