On Sun, 17 Sep 2006 14:03:16 -0700 Victor Rini victor-rini@comcast.net wrote:
Interesting. I think Evolution support Cram-md5 but I'm not sure what thunderbird supports.
Evolution supports CRAM-MD5, DIGEST-MD5, and NTLM; Thunderbird supports CRAM-MD5 (when using the 'Use secure authentication' option in the account settings); Outlook/OE support NTLM (with a similarly named option.)
Most decent mail readers support some sort of challenge-response authentication, but the downside is that the easiest way to support several schemes is to keep plaintext passwords on the server (which is bad news if the server gets compromised -- although an attacker could just as easily nab your SSL key and do other nasty things at that point.)
The obvious downside to challenge-response over an unencrypted connection is the fact that message data will still be sent in the clear, even if your authentication credentials weren't. If you're worried enough about the traffic being seen to worry about the password, you'd probably like to keep the message contents secure as well (that's the purpose of the password, after all...)
-- Ben Winslow rain@bluecherry.net