[Top] [All Lists]

Re: request discussion of two documents on SMTP relaying

2005-06-16 02:55:43

At 23:57 -0400 on 06/15/2005, Keith Moore wrote about Re: request discussion of two documents on SMTP relaying:

 regarding cram-md5: anything that does challenge-response without
 changing the key each time is easy to break independent of what hash
 algorithm is used, especially in the case of a wireless network where
 it's very easy to impersonate a server and mount a man-in-the-middle
 attack.  one time passwords (s/key) work okay, but not
 challenge-response.  this implicates cram-md5, and also APOP (not that
 this is relevant to message submission), and some other things too.

It was my impression (possibly in error) that SMTP AUTH CRAM-MD5 and POP's APOP Handshakes encrypt a string that includes a timestamp (and thus changes each time) so the encrypted reply is unique and one-time (and thus immune to replay attacks) so they are safe from monitoring and man-in-the-middle.

As to APOP not being relevant to message submission, it CAN BE if the POP session that was initiated via APOP then has XTND XMIT commands submitted (to have the POP Server act as a MSA for relating to a MTA).