[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: IMAP...

On Mon, 29 Oct 2001, Kurt Lieber wrote:

> On Monday 29 October 2001 11:19 am, Alexander Wallace wrote:
>
> > I understand Imap encripts passwords right? and I should use it instead of
> > pop?
>
> IMAP does NOT encrypt passwords.  It has one (minor) security advantage over
> POP3 in that it only sends your password once to establish a connection, and
> then maintains that connection until you break it (usually by closing your
> mail client)

That depends on the client.  Pine for instance opens and closes the
connection every time you open or close a folder.

> where POP3 sends your password each and every time you check
> mail.  However, both send passwords in clear text.
>

By default yes.  However afaik all the imapds in Debian support CRAM-MD5
which encrypts your password.

> If you want to encrypt your mail password, you can tunnel POP3 and/or IMAP
> over SSH and obtain end-to-end encryption that way.
>

Happily the need to do that is a thing of the past.  The UW and Courier
imapds also support imaps (IMAP over SSL) natively.  Because of US crypto
policy this support is available in seperate packages -- uw-imapd-ssl and
courier-imap-ssl respectively.  Also if you are using pine with either of
the UW packages, it can be configured to set up imap over ssh (or rsh but
you don't want that) automatically.

-- 
Jaldhar H. Vyas <jaldhar@debian.org>
Reply to: