On Mon, 15 Jan 2007, Vinny Wadding wrote: > If you use the AUTH command on an normal connection to the server, your > user name and password would be sent in plain text. A malicious person > with a packet sniffer would be able to capture the authentication > details en route. > > I was hoping there would be a way to improve the security of people > logging into the server. That if they connected with an unencrypted > session, they would be restricted to more secure logins protocols > (possible limit it to cram-md5?) or disconnected with an error "534 > Authentication mechanism is too weak" or "538 Encryption required for > requested authentication mechanism" (as mentioned in RFC2554, I think). > If they connected via an encrypted session they could be presented with > a the full set of protocols supported?
It makes some sense, although an MUA that sees CRAM-MD5 advertised, it should use that instead of the clear text ones. - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
