On Fri, Jun 11, 2004 at 07:11:01AM -0400, Tom Allison wrote:
I can use telnet 143 to authenticate using plaintext ". login username secret" but sniffit shows my password as garbled up stuff when I send a password through mozilla. Is this a feature of sniffit, mozilla, or what?
I don't know sniffit. What exactly does it show? If it shows
xxx login username yyy then yyy *is* the cleartext password. If it shows
xxx authenticate foo yyyyyyy
then yyyyyyy is base64-encoded authentication data (but trivially decoded in the case where foo is 'PLAIN' or 'LOGIN')
I'd just try "tcpdump -i eth0 -n -s1500 -X tcp port 143" and look at the raw packets.
I'm trying to set up SSL, but I'm not sure it will behave well. Last time I tried this, I had a consistent feature of my SSL connection warning me that my certificate was crap because it wasn't signed properly (I didn't pay Thawte/Verisign to let me read my email).
Well, that's correct, because the whole SSL security model depends on the presence of a trusted third-party to vouch for encryption keys. There's a presentation with a brief overview here: http://www.ws.afnog.org/afnog2004/t1/security/crypto-slides.pdf
But you can always set up your own Certificate Authority and manually install your CA root certificate into your client. That will silence the messages and maintain security.
I'll work on SSL over the weekend, but I know I can connect now with plaintext. It's only allowing connections from my subnet A to subnet B and localhost so it's not as bad as 99.9% of the pop servers out there (or am I wrong on that too?).
IMAP and POP are essentially the same as regards authentication. They both have plain logins (LOGIN or USER/PASS), they both have SASL logins (AUTHENTICATE or AUTH), SASL logins could also be plaintext (PLAIN or LOGIN), and they can optionally run over SSL (either on a different port, or using STARTTLS or STLS)
Regards,
Brian.