[sylpheed:33220] Re: can send email only after pop download

Alexander Kosubek sylpheed-mailing-list at thecrusher.no-ip.com
Mon Sep 28 17:45:41 JST 2009

Hello Giulio, 

apologies for my late reply, but I was extremely busy the last few days.

On Thu, 24 Sep 2009 15:32:09 +0200
Giulio Bottazzi <giulio.bottazzi at gmail.com> wrote:

> I selected "PLAIN" as Authentication method in the "Send" tab and was
> able to send  emails again. I have the impression that in this way my
> username and password travel in clear across the net. Am I right?

In basic, yes. - With AUTH-PLAIN your username and password are
base64-encoded and not encrypted, unless you use an otherwise
encrypted connection to your SMTP-server, like SSL/TLS. 

> Is this safer than relying on "POP before SMTP"? 

That depends on the location of an potential attacker. - In case of POP
before SMTP any software, that is able to originate traffic from your
IP (or successfully spoof such traffic) could send email via your
account. - In the case of an intercepted unencrypted AUTH-PLAIN login
the attacker could send email from everywhere, but he must be able to
intercept your login in the first place, i.e. by listening on the same
local network.

So neither of both methods is by itself secure, a better solution
would involve an underlying encryption like SSL/TLS. 

> In any case, you pointed me in the right direction.
> Thanks again,

Glad to be of assistance.

> Giulio.


> On Wed, Sep 23, 2009 at 12:28 PM, Alexander Kosubek
> <sylpheed-mailing-list at thecrusher.no-ip.com> wrote:
> > On Wed, 23 Sep 2009 10:33:48 +0200
> > Giulio Bottazzi <giulio.bottazzi at gmail.com> wrote:
> >
> >> Thre's something strange happening to me when I try to send messages
> >> using one specific server. If I start sylphed  (or leave sylpheed
> >> inactive for a while) and try to send the message, I got an error [...]
> >
> > Hello Giulio,
> >
> > it seems to me, that the server you are using is using a mechanism
> > known to me as "POP before SMTP" to authenticate senders.
> >
> > You just have to tick the appropriate checkbox on the "send"-tab of
> > your account-settings to enable this method for that server.
> >
> > It is, alas, a somewhat flawed method, as anybody from your host is for
> > a certain amount of time able to send mail via that specific server
> > after the host ist authenticated. So it would be more secure to use
> > SMTP-Auth, if supported.
> >
> > Kind regards
> >
> > Alexander
> >
> > --
> > Enter signature here
> >
> -- 
> Giulio Bottazzi <giulio.bottazzi at gmail.com>
> http://giulio.bottazzi.googlepages.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://www.sraoss.jp/pipermail/sylpheed/attachments/20090928/173e0918/attachment.bin 

More information about the Sylpheed mailing list