[Ti] apop and Panther Mail.app
Justin R.Miller
incanus at codesorcery.net
Sun Oct 3 06:51:42 PDT 2004
On Oct 3, 2004, at 3:10 AM, Chris Olson wrote:
> When the initial connection is made to a POP server, the server
> displays a timestamp in its banner. The client uses this timestamp to
> create an MD5 hash string that is shared between the server and
> client. The next time the client connects to the server (e.g., to
> check for new mail) it will issue a command (APOP) and the hash
> string. This reduces the number of times that a user's userid and
> password are transmitted in clear text.
To clarify, I believe the challenge-response differs on each login and
is based on a combination of the date/time and the user's password, but
done in a way so that the user never has to send their actual password
over the wire, but instead proves that they know it by complementing
the server's hash. That way they never have to send their password in
clear text, not once.
> Tell your friend to tell the ISP's tech support person to get a clue,
> and they could start by referring to the specification for POP3
> servers which is covered in RFC 1725.
mac2, basically it sounds like the person's ISP's POP3 server is
basically advertising that it supports APOP when in fact it sounds like
it does not. You can confirm this by opening Terminal, typing 'telnet
<mail server hostname> 110' and then when it greets you, typing 'CAPA'
to get a list of the POP3 server's capabilities. If you see 'APOP' in
there, then something is fishy.
--
Justin R. Miller
incanus at codesorcery.net
More information about the Titanium
mailing list