On Thu, 14 Jun 2001 14:22:05 -0000, worthy wrote:
>Hello,
>
>We are running exim 3.16 on a RH server.
>My question is : "How can SMTP/POP authentication process be secured
>between my server and a remote client which is sending his password
>in plaintext ?"
>
>May the cram-md5 mechanism be the solution to my problem ? If yes,
>any suggestion/idea of how to do that.
>
>Any help would be appreciated. Thanks in advance.
>
>--
>Dat Phan
>
>
>--
>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
POP3 does have an alternative to plaintext passwords, called APOP, that does something similar to a hash salted with the date (I could be a little off here, I haven't read up on APOP in a while). Unfortunately, several popular mail clients do not support it. Even then, I don't believe that the actual mail transfer can be encrypted with the standard POP protocol.
The case is similar for SMTP. You can use a couple of different encryption methods for the password, but I don't believe that the SMTP protocol itself has any methods for encrypting the actual mail to be delivered.
If you are looking for secure mail receipt and delivery, I would recommend you extend your configuration with a secure tunnel. SSH2 would be an example. You would set up a SSH2 server on the mail machine and the SSH2 client on your end machine. Then, you would set up outgoing tunnels on the client machine that point from the POP3 (110) and SMTP (25) ports on the local machine (127.0.0.1) to the mail server. Finally, you would configure your mail client to point to the local host as the mail server instead of the actual server. When this is all set up, the client would log in to ssh2, which creates the encrypted tunnels, then use their mail program.
