Hi,
I have one question regarding authentication method qpopper provides. I would like to allow both APOP and POP over SSL to be used for a particular user but this doesn't look possible with qpopper 4.0.5. I know that it is quite possible to allow APOP for one user and POP over SSL for another, but it seems like I can't do this for the "same" user. If APOP is enabled for him/her (i.e. an entry exists in pop.auth), qpopper always mandates authenticating him/her via APOP even if clear-text-password parameter is set to 'tls'. The only way I found to achieve my goal was to set clear-text-password parameter to 'always' for pop3s (995/tcp) (I am using alternate-port mode). However, this in turn introduces security breach. I think most users won't connect to the server using 995/tcp without SSL, but there's no such guarantee. If I'm missing something, please advise. Thanks.
When popper is set to alternate port mode, it will not accept commands in clear text. Anything you send to port 995 will be expected to be encased in TLS. No security hole.
