[ale] OT: SMTP/POP3 Password Encryption

[Chris Ricker]

On Thu, 22 May 2003, Geoffrey wrote:

> Transam wrote:
> 
> > Neither SMTP nor POP3 (nor IMAP for that matter) are encrypted.  Both
> > the password (POP3 & IMAP) and all text is sent in the clear.  May I
> > introduce you to the world of encrypting your email before transmission?
> 
> Does anyone know if there is way to set up encrypted passwords for any 
> mail access?  I guess you'd have to work with your isp to do some kind 
> of ssh tunnel or something???

APOP is encrypted, though not widely supported

IMAP can support SASL, and some SASL authentication methods are either 
encrypted or one-time

IMAP can support STARTTLS before authentication, and then the subsequent
authentication (either through SASL or through plaintext username +
password) and email access would be encrypted

IMAP / POP can be tunneled through SSL, in which case the entire 
communication will be encrypted

SMTP AUTH uses SASL for the authentication, and some SASL authentications 
are either encrypted or one-time

SMTP STARTTLS encrypts the communication through SSL. This can be done 
before or after SMTP AUTH, or independently of SMTP AUTH. The entire 
communication after the STARTTLS is encrypted

SMTP can be tunneled through SSL, though most clients don't support this.

Generally, if you want encrypted authentication, use an encrypted 
authentication mechanism with SMTP AUTH (which most clients and servers 
support) for SMTP, and tunnel IMAP / POP through SSL (which most clients and 
servers support). You might also use STARTTLS with SMTP to encrypt the 
authentication and the mail transfer. Most clients and servers support 
STARTTLS, but it's not widely deployed, so you still have to use GPG (in 
which case, SMTP AUTH + GPG is just as good, and a little simpler to set up, 
as SMTP STARTTLS + GPG)

later,
chris
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale