Matt Bernstein <mb@???> probably said:
> ..but it's too late by then! You say (in the clear)
> AUTH PLAIN MiMeHaSh..
> ..and the server replies
> 503 STARTTLS required before AUTH
>
> Oops. Not a lot you can do about that, except only use MUAs (and MTAs..)
> you trust!
Part of my point was to not use login passwords for this exact reason,
but anyway, where does it advertise AUTH in this;
ehlo ....
250-....
250-SIZE 15728640
250-EXPN
250-PIPELINING
250-STARTTLS
250 HELP
No clients should be using AUTH when it isn't advertised.
On my laptop I'm using exim to do the SMTP AUTH client end, set up to
always do TLS to my mail server so no passwords go in the clear.
A quick test with netscrape gives;
moek.pir.net -> pir.client SMTP R port=55768 220-moek.pir.net ESM
pir.client -> moek.pir.net SMTP C port=55768 EHLO pir.client\r
moek.pir.net -> pir.client SMTP R port=55768
moek.pir.net -> pir.client SMTP R port=55768 250-moek.pir.net Hel
pir.client -> moek.pir.net SMTP C port=55768 STARTTLS\r\n
moek.pir.net -> pir.client SMTP R port=55768 220 OpenSSL/0.9.6bet
I see no unencrypted passwords.
P.
--
pir pir-sig@??? pir-sig@???
