Re: POP3 daemons in Debian

To: debian-devel@lists.debian.org
Subject: Re: POP3 daemons in Debian
From: Carey Evans <c.evans@clear.net.nz>
Date: 25 Sep 1998 21:03:28 +1200
Message-id: <[🔎] 87ww6slg2n.fsf@psyche.evansnet>
In-reply-to: Joseph Carter's message of "Thu, 24 Sep 1998 21:11:06 -0700"
References: <[🔎] 19980924103620.B7805@deadend.argh.org> <[🔎] 19980924182616.A11552@deadend.argh.org> <[🔎] 6ue5j1$uso$1@Q.cistron.nl> <[🔎] 19980924211106.B13152@earthlink.net>

Joseph Carter <knghtbrd@debian.org> writes:

> This actually quite annoys me.  APOP is essentially secure passwd vs POP3
> which is not.  I hope nobody else is ... for lack of a better pay to put it,
> foolish enough to use POP3 over open Internet.  Maybe just to your ISP
> behind their router might be acceptable unless you're paranoid, but if your
> ISP is like mine and your dialup is through uu.net or something, plaintext
> passwds to check mail can be VERY easily exploited.

However, because the APOP authentication is basically
md5('password'+random_string()), the server needs your password as
cleartext.  Unix passwords are encrypted such that the /etc/shadow
file doesn't give you direct access to all the accounts.

If anyone hacks the POP3 server, they have your APOP password
immediately.

-- 
	 Carey Evans  http://home.clear.net.nz/pages/c.evans/

        "So, do you steal weapons from the Army often?"
        "Well, we don't get cable, so we have to make our own fun."

Reply to:

References:
- POP3 daemons in Debian
  - From: Alexander Koch <efraim@argh.org>
- Re: POP3 daemons in Debian
  - From: Alexander Koch <efraim@argh.org>
- Re: POP3 daemons in Debian
  - From: miquels@cistron.nl (Miquel van Smoorenburg)
- Re: POP3 daemons in Debian
  - From: Joseph Carter <knghtbrd@debian.org>

Prev by Date: Re: intent to package ACE
Next by Date: Re: POP3 daemons in Debian
Previous by thread: Re: POP3 daemons in Debian
Next by thread: Re: POP3 daemons in Debian
Index(es):
- Date
- Thread