Re: how to prevent clear text IMAP authorization?
- From: Mark Crispin <mrc@xxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Aug 2007 12:36:13 -0700
On Thu, 9 Aug 2007, mc2718@xxxxxxxxx wrote:
Authentication to IMAP. I believe it first tries SSL because I have
inbox-path={host/user=.../ssl/novalidate-cert}inbox
in .pinerc.
It does NOT "first try SSL". When you specify /ssl, it ONLY uses SSL and NEVER uses any other means of session encryption.
SSL is NOT authentication. It is SSL encryption.
By the way, your use of /novalidate-cert makes you vulnerable to a fake server spoofing your real server. You would be better off making sure that your server's certificate is installed on your system, so you can verify that it is really your server.
The prompt I see is "HOST: .... USER: .... ENTER
PASSWORD:". If I mistype the password, it then does plain text (pine
issues "Retrying authenticatin plaintext...." and a new password
prompt), at which point I usually quit.
The message is almost certainly
Retrying PLAIN authentication after ... failed
It did NOT "revert" to plaintext authentication; you are on #2 of your three tries with plaintext authentication.
In other words, your quitting and restarting does nothing other than waste your (and the server's time). You are MISTAKEN about what is going on.
Are the three attempts
hardcoded, or controlled by some option?
The three attempts are hardcoded.
OR, I am not getting SSL at
all, even though I request it (frightening).
I guarantee you that if you specify /ssl, you have SSL.
How can I trouble-shoot
this further? I am running version 4.63.
There is nothing to troubleshoot. Everything is working.
You seem to have confused session encryption with authentication. Yes, the authentication is plaintext, but it is under SSL session encryption.
On a side note, just to clarify - does plain text mean unencrypted
password AND unencrypted email download??
In an SSL session, the ENTIRE session is encrypted, including the authentication.
Authentication has the possibility of an ADDITIONAL layer of encryption, on top of the SSL encryption, so that you do not ever disclose your password to the server but instead prove that you know the password without disclosing it. These are mechanisms with names such as CRAM-MD5 or Kerberos.
Most systems do NOT have this ADDITIONAL layer, and instead use PLAIN authentication where you disclose your password to the server. That is the type of system that you have.
Even though the authentication is plaintext, the session itself is encrypted, and the authentication happens within the session.
If you tell me the host name of your IMAP server, I will see if it offers any additional layers in authentication for you. However, since Pine isn't trying to use them, your IMAP server probably does not have them. Pine always prefers to use an additional layer if the server offers it and Pine knows how to do it.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
.
- Follow-Ups:
- Re: how to prevent clear text IMAP authorization?
- From: Adam H. Kerman
- Re: how to prevent clear text IMAP authorization?
- From: mc2718@xxxxxxxxx
- Re: how to prevent clear text IMAP authorization?
- References:
- how to prevent clear text IMAP authorization?
- From: mc2718@xxxxxxxxx
- Re: how to prevent clear text IMAP authorization?
- From: Mark Crispin
- Re: how to prevent clear text IMAP authorization?
- From: mc2718@xxxxxxxxx
- how to prevent clear text IMAP authorization?
- Prev by Date: Re: how to prevent clear text IMAP authorization?
- Next by Date: Re: how to prevent clear text IMAP authorization?
- Previous by thread: Re: how to prevent clear text IMAP authorization?
- Next by thread: Re: how to prevent clear text IMAP authorization?
- Index(es):
Relevant Pages
|
