At 01:22 -0400 on 09/20/2005, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote about Re:
Query Regarding SMTP Authentication:
On Mon, 19 Sep 2005 20:52:18 EDT, "Robert A. Rosenberg" said:
If you read 2554 you will note that it provides for the Server to
offer a list of methods that the Server supports to allow the Client
to supply the Password. This list usually is "PLAIN" and "LOGIN" (and
sometimes CRAM-MD5). Depending on how paranoid you are, only CRAM-MD5
is actually secure. The other two methods not only send out a
constant (CRAM-MD5 is a one-time encryption) but if someone is
monitoring the connection the Password can be extracted from the
constant.
There's also the option of doing PLAIN or LOGIN after a STARTTLS command
to stop those nasty snoopers (and for that, a self-signed TLS cert is
quite sufficient). If you're really paranoid, you'll want to deploy the
certificate infrastructure needed to verify the identities at the other
end of the STARTTLS connection, so you can't have a MITM attack.
I acknowledge that when you are using a STARTTLS (Encrypted/SSL) [ie:
Usually via Port 465] Connection the SMTP AUTH method is not an issue
since the complete session is encrypted/secure. What I was
referencing was a standard "in clear" session where only the logon
handshake is encrypted (even if only via the PLAIN/LOGIN use of
BASE64 Armoring).