> * on the Tue, Jul 25, 2006 at 11:36:02AM -0400, jtelep@??? was
> tippering:
>> I am currently using AUTH PLAIN via SASL for SMTP and then TLS. I have
>> nothing currently in place to POP3 but I am just wondering, I mean, if
>> someone was doing any packet sniffing they could see the username and
>> password being passed because of the fact that I am using plain. What
>> is
>> the best and most secure way of preventing this for both SMTP and POP3
>> authentication?
>
> Use STARTTLS and an SSL enabled pop3 server (pop3s). It should fix these
> both
> problems. Instruct (not force) the users to use SSL when authenticating
> using
> SMTP-AUTH.
>
> Warm Regards.
>
> --
> Bruno Delbono
> Open-Systems Group Inc.
> http://www.open-systems.org/
> http://www.mail.ac/
> http://hub.mail.ac/
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
SO the mail clients then should choose an option similar to "Use TLS, if
available" instead of just straight "TLS" for SMTP server settings and
this will also encrypt the actual authentication as well as the traffic
once the connection has been established?
Thanks,
Jon
