On Sun, 13 Feb 2005 22:12:52 +0100, Paul J Stevens <[EMAIL PROTECTED]> wrote: > I'm putting the finishing touches on authldap but need some feedback here. Am > I correct in assuming that > currently POP3 APOP only works if the password is stored cleartext in the > database?
That't indeed the way APOP works. The server has to have a way to get at the unencrypted password > > I don't see how we can support APOP with ldap. There's no shared secret, > unless I store it cleartext in a > separate field.... and I *don't* want to start such bad habits. Agreed. > > Is apop worth the effort at all? I don't use pop3 at all myself, but apop > just doesn't seem like much of a > security mechanism. I'd much rather invest my time in native start-tls > capability. DBMail should probably just return a '-ERR' response when an APOP command is issued and LDAP authentication is used. Ilja
