***SA:06.40*** [Tutor] How secure is the mail module?
Derrick 'dman' Hudson
dman@dman.ddts.net
Thu, 22 Aug 2002 22:34:48 -0400
--fOHHtNG4YXGJ0yqR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Aug 18, 2002 at 07:56:09AM -0700, S A wrote:
| Hi Everyone-
|=20
| Does anyone know how secure the mail Module is when sending
| usernames and passwords to mail servers?
Same as anything else.
| Is it just sending plain text?
Yep. Read the RFC(s) that detail the AUTH extension to ESMTP for the
details. There are 3 methods -- PLAIN, LOGIN, CRAM-MD5.
For PLAIN, take the username and password, separate them with a NUL
character and base64-encode the data. base64 encoding is easily
reversible.
For LOGIN there is a "chat" sequence whereby the server sends a prompt
and the client sends the data. It is more-or-less plain text (it
might be base64 encoded, but I don't know for sure).
CRAM-MD5 is the most secure because the server sends a one-time
"cookie" which the client combines with the username/password and
sends only the md5 hash of that combination back to the server. md5
is a one-way operation (unlike base64). The server does the same
combination and compares its result. The problem with this method is
the server must have access to the password in cleartext (in
particular no md5-crypted shadow passwords or PAM).
| Is there a way to make sure data is being securely sent to the mail
| server?
You can use the CRAM-MD5 AUTH method, if you set up the server to
handle it (with the downsides it introduces).
Alternatively you can use SSL or "STARTTLS", if you set up the server
to handle it.
-D
--=20
He who walks with the wise grows wise,
but a companion of fools suffers harm.
Proverbs 13:20
=20
http://dman.ddts.net/~dman/
--fOHHtNG4YXGJ0yqR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj1ln0gACgkQO8l8XBKTpRS3TQCfU3CbkpSYCm/sOcZespJm07Bt
Ei8AnAom9bQaRvKp7+hEMi3w1+b7cscZ
=KxwX
-----END PGP SIGNATURE-----
--fOHHtNG4YXGJ0yqR--