[Dovecot] Nuby experiences

Ben Winslow rain at bluecherry.net
Mon Sep 18 16:20:08 EEST 2006


On Sun, 17 Sep 2006 14:03:16 -0700
Victor Rini <victor-rini at comcast.net> wrote:

> Interesting. I think Evolution support Cram-md5 but I'm not sure what 
> thunderbird supports.

Evolution supports CRAM-MD5, DIGEST-MD5, and NTLM; Thunderbird
supports CRAM-MD5 (when using the 'Use secure authentication' option
in the account settings); Outlook/OE support NTLM (with a similarly
named option.)

Most decent mail readers support some sort of challenge-response
authentication, but the downside is that the easiest way to support
several schemes is to keep plaintext passwords on the server (which
is bad news if the server gets compromised -- although an attacker
could just as easily nab your SSL key and do other nasty things at
that point.)

The obvious downside to challenge-response over an unencrypted
connection is the fact that message data will still be sent in the
clear, even if your authentication credentials weren't.  If you're
worried enough about the traffic being seen to worry about the
password, you'd probably like to keep the message contents secure
as well (that's the purpose of the password, after all...)

-- 
Ben Winslow <rain at bluecherry.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20060918/74e2ee70/attachment.pgp 


More information about the dovecot mailing list