UW-IMAPS - is my password safe?

I currently have UW IMAPS installed on my RedHat9 based system and would like to know whether my username and password are being sent in clear text before encryption is started.  I've searched with google, checked out the UW FAQs and can't seem to find a definitive answer.
I can't say I know the exact process or options available during an IMAPS session and need help.  My email client (Mozilla Thunderbird) gives a secure connection option (the TLS) which works fine and also a secure authentication, which doesn't - a message is displayed informing me the server does not support secure authentication.  I don't really mind, as long as my password is encrypted.

Is it?!

Thanks for anyone who can help.

Stuart
csalingerAsked:
Who is Participating?
 
jlevieConnect With a Mentor Commented:
If you've configured your mail client to use TLS and that is working your username & password is being transmitted within the encrypted session and is thus safe.

Secure passwords (CRAM-MD5, DIGEST-MD5) don't work with the UWash IMAP implementation when using the Linux passwd/shadow file for user info. To be able to offer secure passwords the IMAP server's auth mechanism needs additional password info that can't be had from the encrypted password in the shadow file.
0
 
csalingerAuthor Commented:
I see.  The mail client has only the one option for secure connection - ssl (listed in brackets) which i assume is being used as tls (i don't know much about them, but I know tls is based on ssl) as the smtp options allows selection between tls and ssl, so the client supports it for smtp.  I hope I explained that properly and didn't confuse you.

I suppose there is no reason for me to want to use cram-md5 or digest-md5 for passwords if they are already encrypted?

If I did, would I have to rebuild UW-IMAP or can I edit a config file somewhere (the information on UW website is a little sparse on specifics as it is a 'plug and play' server)?

Thanks very much for your response - it has answered my initial question

:)

Stuart
0
 
csalingerAuthor Commented:
I've managed to get the cram-md5 working now - i had my file named incorrectly, such an amateur mistake! cram-md5 instead of cram-md5.pwd

Works fine with secure auth and connection now - thanks!

I'd still like to know whether or not there is any benefit to this, other than being able to have a different login password to email

Stuart
0
 
jlevieCommented:
Within an encrypted IMAP, POP, or SMTP connection there's little advantage to using CRAM-MD5 or DIGEST-MD5 since the entire transaction is encrypted. The advantage to those methods is when you aren't using an SSL/TLS connection. There the username and password is exposed when using PLAIN or LOGIN as the method.
0
 
csalingerAuthor Commented:
Thank you very much for your time and explanation

Stuart
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.