Re: POP3 daemons in Debian
Joseph Carter <knghtbrd@debian.org> writes:
> This actually quite annoys me. APOP is essentially secure passwd vs POP3
> which is not. I hope nobody else is ... for lack of a better pay to put it,
> foolish enough to use POP3 over open Internet. Maybe just to your ISP
> behind their router might be acceptable unless you're paranoid, but if your
> ISP is like mine and your dialup is through uu.net or something, plaintext
> passwds to check mail can be VERY easily exploited.
However, because the APOP authentication is basically
md5('password'+random_string()), the server needs your password as
cleartext. Unix passwords are encrypted such that the /etc/shadow
file doesn't give you direct access to all the accounts.
If anyone hacks the POP3 server, they have your APOP password
immediately.
--
Carey Evans http://home.clear.net.nz/pages/c.evans/
"So, do you steal weapons from the Army often?"
"Well, we don't get cable, so we have to make our own fun."
Reply to: