View Single Post

  #20  
Old 25-06-2003, 09:44 PM
Guest
 
Posts: n/a
Quote:
Originally Posted by lcs
By using a different port (993) you can block the insecure port 143. Using STARTTLS, you have to keep 143 open, which in turn means people may accidentally connect unencrypted and thus send their password in clear text.
The P800 IMAP client supports RFC2595 for secure IMAP connections, as pointed out the client makes a connection in the clear to the specified port usually 143. However a IMAP server that confirms to the RFC should support LOGINDISABLED, this means that a client has to first setup a secure connection using STARTTLS before passing any LOGIN information, which otherwise could be seen sent over a unencrypted connection.

Example: C: a001 CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED
S: a001 OK CAPABILITY completed
C: a002 STARTTLS
S: a002 OK Begin TLS negotiation now
<TLS negotiation, further commands are under TLS layer>
C: a003 CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=EXTERNAL
S: a003 OK CAPABILITY completed
C: a004 LOGIN joe password
S: a004 OK LOGIN completed

The current UW IMAPD supports this and works well.

The only annoyingn thing as pointed out by another poster is the SMTP/S connections that correctly use STARTTLS but then don't perform a SMTP AUTH.

I had some Symbian folks check this out with access to the P800 code and it is indeed a bug :cry:

HTH

Michael