[Top] [All Lists]

Re: Query Regarding SMTP Authentication

2005-09-20 22:10:18

At 01:22 -0400 on 09/20/2005, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote about Re: Query Regarding SMTP Authentication:

On Mon, 19 Sep 2005 20:52:18 EDT, "Robert A. Rosenberg" said:

 If you read 2554 you will note that it provides for the Server to
 offer a list of methods that the Server supports to allow the Client
 to supply the Password. This list usually is "PLAIN" and "LOGIN" (and
 sometimes CRAM-MD5). Depending on how paranoid you are, only CRAM-MD5
 is actually secure. The other two methods not only send out a
 constant (CRAM-MD5 is a one-time encryption) but if someone is
 monitoring the connection the Password can be extracted from the

There's also the option of doing PLAIN or LOGIN after a STARTTLS command
to stop those nasty snoopers (and for that, a self-signed TLS cert is
quite sufficient).  If you're really paranoid, you'll want to deploy the
certificate infrastructure needed to verify the identities at the other
end of the STARTTLS connection, so you can't have a MITM attack.

I acknowledge that when you are using a STARTTLS (Encrypted/SSL) [ie: Usually via Port 465] Connection the SMTP AUTH method is not an issue since the complete session is encrypted/secure. What I was referencing was a standard "in clear" session where only the logon handshake is encrypted (even if only via the PLAIN/LOGIN use of BASE64 Armoring).