csalinger
asked on
UW-IMAPS - is my password safe?
I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started. I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help. My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication. I don't really mind, as long as my password is encrypted.
Is it?!
Thanks for anyone who can help.
Stuart
I can't say I know the exact process or options available during an IMAPS session and need help. My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication. I don't really mind, as long as my password is encrypted.
Is it?!
Thanks for anyone who can help.
Stuart
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd
Works fine with secure auth and connection now - thanks!
I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email
Stuart
Works fine with secure auth and connection now - thanks!
I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email
Stuart
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
ASKER
Thank you very much for your time and explanation
Stuart
Stuart
ASKER
I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?
If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?
Thanks very much for your response - it has answered my initial question
:)
Stuart