[Top] [All Lists]

Re: request discussion of two documents on SMTP relaying

2005-06-16 05:59:07

It was my impression (possibly in error) that SMTP AUTH CRAM-MD5 and POP's APOP Handshakes encrypt a string that includes a timestamp (and thus changes each time) so the encrypted reply is unique and one-time (and thus immune to replay attacks) so they are safe from monitoring and man-in-the-middle.

timestamps would not prevent MitM attacks, because the attacker can intercept communications quickly enough that the timestamps are still valid. I believe timestamps can deter replay attacks if they're implemented correctly.

As to APOP not being relevant to message submission, it CAN BE if the POP session that was initiated via APOP then has XTND XMIT commands submitted (to have the POP Server act as a MSA for relating to a MTA).

good point.