Setting up (WAS Re: Test, is this list active?)

[Piotr Sulecki]

Ave!

> My first Qs are:
> 
> 1. Are the passwords not encrypted (doesn't look like it based on the examples)?

I'm not Kam ;-) but I'll try to help nonetheless.

The POP3 protocol has two authentication methods: standard and APOP.

The standard authentication (USER/PASS) sends the password through the
wire in cleartext. No encryption is done. This is how most programs use
it.

The APOP authentication sends (in cleartext) the user name and an MD5
hash of a string consisting of the server greetings (includes time of
the greetings, so is partially random), user name and his password. The
server does the same calculations and can tell whether or not the client
uses the same password.

Three issues with APOP:

1) it's vulnerable to dictionary attacks (all data except the password
is sent in the clear),
2) it requires that the server has access to cleartext passwords (rather
uncommon in UNIX/Linux),
3) some mail clients do not understand this protocol.

Don't know of any other method of POP3 authentication. The two described
above are the only ones mentioned in RFCs.

In short: forget it.

> 2. How do you specify what domain the user belongs to for /non/ IP-based domains?

For non-IP-based domains, every user must be unique
_throughout_the_whole_server_. It means you can only have one admin, one
webmaster, etc. (This can be solved to a degree on SMTP level with
address rewriting or mail aliasing.) The POP3 protocol simply does not
provide a way for the client to request the specific virtual host in a
way HTTP/1.1 does.

IP-based virtual domains do not have that limitation.

In both cases, there is a file which lists user<->virtual domain
mappings. Don't recall it's name, but it's described in the docs. I
don't recall having any problems with setting it up; however, I don't
recall any details, either.

Peter Sulecki.