On Fri, Aug 01, 2003 at 01:19:09AM -0400, Kee Hinckley wrote:
At 8:25 PM -0700 7/31/03, bcl wrote:
If I understand you correctly you are proposing having APOP fall back to
POP3 when it isn't available from the server? The problem I have with that
is that fetchmail will then be revealing passwords in the clear without the
express configuration of the admin. When I set it up for APOP I don't
expect
my passwords to be going across the link, no matter what.
No, what I'm suggesting is that APOP really should be an
authorization mechanism, not a protocol (since that's what it is).
If you do a protocol of POP3 and auth of ANY, then APOP ought to get
tried somewhere in there (probably after cram-md5 and before
password). If you specify APOP explicitly, then you'll either get
it, or get a failure. That doesn't change.
Ah! Ok, I see what you are saying now. That makes more sense to me. Have a
continuum of security levels and move up (more secure) if available, but
never move down.
Personally I find that POP3-SSL and IMAPD-SSL are the best solutions and I
would like to see more IPSs support them.
Sorry for being confused :>
Brian
--
--[Inside 73.8F]--[Outside 53.9F]--[Gonzo 74.9F]--[Coaster 51.1F]--
Linux Software Developer http://www.brianlane.com
pgpRbBSVf9fwB.pgp
Description: PGP signature