[Top] [All Lists]

Re: Query Regarding SMTP Authentication

2005-09-19 22:37:03
On Mon, 19 Sep 2005 20:52:18 EDT, "Robert A. Rosenberg" said:

If you read 2554 you will note that it provides for the Server to 
offer a list of methods that the Server supports to allow the Client 
to supply the Password. This list usually is "PLAIN" and "LOGIN" (and 
sometimes CRAM-MD5). Depending on how paranoid you are, only CRAM-MD5 
is actually secure. The other two methods not only send out a 
constant (CRAM-MD5 is a one-time encryption) but if someone is 
monitoring the connection the Password can be extracted from the 

There's also the option of doing PLAIN or LOGIN after a STARTTLS command
to stop those nasty snoopers (and for that, a self-signed TLS cert is
quite sufficient).  If you're really paranoid, you'll want to deploy the
certificate infrastructure needed to verify the identities at the other
end of the STARTTLS connection, so you can't have a MITM attack.

Attachment: pgpzVgeY0GdA4.pgp
Description: PGP signature