Re: Pop or Imap?
On Fri, Dec 07, 2001 at 08:13:26PM +1300, Michael Jager wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). IIRC APOP uses challange response, requireing both ends to know the password in cleartext. Rather than sending the password as one string, the server asks the client a few questions about the password that it has. AFAIK it is not possible to work out the password at all from monitoring the network traffic. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
On Fri, Dec 07, 2001 at 08:51:03AM +0100, Markus Garscha wrote: I think using POP3-SSL and IMAP-SSL server would be the best choice. Have a look at courier-imap/pop3 suite. it is easy and good. Only problem might be the extra CPU usage, but if the content of your emails are highly confidential then it's worth it. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
At 07:21 PM 12/7/2001 +1100, Jeremy Lunn wrote: On Fri, Dec 07, 2001 at 08:13:26PM +1300, Michael Jager wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). IIRC APOP uses challange response, requireing both ends to know the password in cleartext. Rather than sending the password as one string, the server asks the client a few questions about the password that it has. AFAIK it is not possible to work out the password at all from monitoring the network traffic. I just checked my eudora and it seems to support APOP. Outlook express supports something called SPA does anybody know what that is? -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
On Fri, 7 Dec 2001 08:13, Tim Uckun wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. Both POP and IMAP have extensions to allow minimal security for the password (but still allow plain-text transfer of the messages). Also both POP and IMAP have TLS extensions that allow a client to request SSL mode after connecting, and there are separate ports defined for POP and IMAP servers that only do SSL. The courier-pop-ssl and courier-imap-ssl packages do this well. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
On Fri, Dec 07, 2001 at 12:07:34PM +0100, Russell Coker wrote: On Fri, 7 Dec 2001 08:13, Tim Uckun wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. Both POP and IMAP have extensions to allow minimal security for the password (but still allow plain-text transfer of the messages). Also both POP and IMAP have TLS extensions that allow a client to request SSL mode after connecting, and there are separate ports defined for POP and IMAP servers that only do SSL. The courier-pop-ssl and courier-imap-ssl packages do this well. alternatively, if you don't want to use courier, the stunnel package can be used to wrap any pop and/or imap daemon for SSL encryption. e.g. stunnel -d 993 -l /usr/sbin/imapd imapd stunnel -d 995 -l /usr/sbin/ipop3d ipop3d several POP/IMAP clients have ssl support. including, i believe, outlook, eudora, and netscape. btw, stunnel has tcpwrappers support built-in, so you don't need to use tcpd with it. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
claiming to be Tim Uckun, [EMAIL PROTECTED] said: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). Michael
Re: Pop or Imap?
Hi! I think using POP3-SSL and IMAP-SSL server would be the best choice. Have a look at courier-imap/pop3 suite. it is easy and good. so far markus * Tim Uckun [EMAIL PROTECTED] [2001-12-07 08:30]: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. THX. -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --- Markus Garschaemail: [EMAIL PROTECTED] Hartmannstr. 129fon: 09131/626715 91058 Erlangen fax: +49 89 244356966 pgp-keyid: 0xEE18AF3B --- pgpgbVQ3kMNSu.pgp Description: PGP signature
Re: Pop or Imap?
On Fri, Dec 07, 2001 at 08:13:26PM +1300, Michael Jager wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). IIRC APOP uses challange response, requireing both ends to know the password in cleartext. Rather than sending the password as one string, the server asks the client a few questions about the password that it has. AFAIK it is not possible to work out the password at all from monitoring the network traffic. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID.
Re: Pop or Imap?
On Fri, Dec 07, 2001 at 08:51:03AM +0100, Markus Garscha wrote: I think using POP3-SSL and IMAP-SSL server would be the best choice. Have a look at courier-imap/pop3 suite. it is easy and good. Only problem might be the extra CPU usage, but if the content of your emails are highly confidential then it's worth it. -- Jeremy Lunn Melbourne, Australia Find me on Jabber today! Try my email address as my JID.
Re: Pop or Imap?
At 07:21 PM 12/7/2001 +1100, Jeremy Lunn wrote: On Fri, Dec 07, 2001 at 08:13:26PM +1300, Michael Jager wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). IIRC APOP uses challange response, requireing both ends to know the password in cleartext. Rather than sending the password as one string, the server asks the client a few questions about the password that it has. AFAIK it is not possible to work out the password at all from monitoring the network traffic. I just checked my eudora and it seems to support APOP. Outlook express supports something called SPA does anybody know what that is? -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? --
Re: Pop or Imap?
On Fri, 7 Dec 2001 08:13, Tim Uckun wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. Both POP and IMAP have extensions to allow minimal security for the password (but still allow plain-text transfer of the messages). Also both POP and IMAP have TLS extensions that allow a client to request SSL mode after connecting, and there are separate ports defined for POP and IMAP servers that only do SSL. The courier-pop-ssl and courier-imap-ssl packages do this well. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
Re: Pop or Imap?
On Fri, Dec 07, 2001 at 12:07:34PM +0100, Russell Coker wrote: On Fri, 7 Dec 2001 08:13, Tim Uckun wrote: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. Both POP and IMAP have extensions to allow minimal security for the password (but still allow plain-text transfer of the messages). Also both POP and IMAP have TLS extensions that allow a client to request SSL mode after connecting, and there are separate ports defined for POP and IMAP servers that only do SSL. The courier-pop-ssl and courier-imap-ssl packages do this well. alternatively, if you don't want to use courier, the stunnel package can be used to wrap any pop and/or imap daemon for SSL encryption. e.g. stunnel -d 993 -l /usr/sbin/imapd imapd stunnel -d 995 -l /usr/sbin/ipop3d ipop3d several POP/IMAP clients have ssl support. including, i believe, outlook, eudora, and netscape. btw, stunnel has tcpwrappers support built-in, so you don't need to use tcpd with it. craig -- craig sanders [EMAIL PROTECTED] Fabricati Diem, PVNC. -- motto of the Ankh-Morpork City Watch
Re: Pop or Imap?
claiming to be Tim Uckun, [EMAIL PROTECTED] said: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. APOP. I dunno how you get it or whatever, but I know it exists and passwords are encrypted (IIRC). Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Pop or Imap?
Hi! I think using POP3-SSL and IMAP-SSL server would be the best choice. Have a look at courier-imap/pop3 suite. it is easy and good. so far markus * Tim Uckun [EMAIL PROTECTED] [2001-12-07 08:30]: I am concerned about pop passwords being transmitted plaintext. Does imap encrypt passwords? if not does any protocol exists which does. THX. -- Tim Uckun Mobile Intelligence Unit. -- There are some who call me TIM? -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- --- Markus Garschaemail: [EMAIL PROTECTED] Hartmannstr. 129fon: 09131/626715 91058 Erlangen fax: +49 89 244356966 pgp-keyid: 0xEE18AF3B --- msg04386/pgp0.pgp Description: PGP signature
