Community Discussions and Support
POP Before SMTP Authentication

Thanks Thomas!  Appreciate the quick responses!

So, in a nutshell, what I've been doing is all I can do - having a separately-maintained username/password list for SMTP authentication in a textfile. 

...but my users who are using Pegasus don't need to type in this SMTP password because Pegasus will automatically authenticate using another means?

<p>Thanks Thomas!  Appreciate the quick responses!</p><p>So, in a nutshell, what I've been doing is all I can do - having a separately-maintained username/password list for SMTP authentication in a textfile.  </p><p>...but my users who are using Pegasus don't need to type in this SMTP password because Pegasus will automatically authenticate using another means?</p>

Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server?  This has eluded me for years now.  I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is by having a plain-text file with the users's passwords duplicated in it.  If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's POP/IMAP password?

(Yes, I've searched the boards for this, it must have been asked by now, but the search engine is coming up with nothing relevent)

<P>Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server?  This has eluded me for years now.  I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is by having a plain-text file with the users's passwords duplicated in it.  If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's POP/IMAP password?</P> <P>(Yes, I've searched the boards for this, it must have been asked by now, but the search engine is coming up with nothing relevent)</P>

> Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server?  This has eluded me
> for years now.  I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is
> by having a plain-text file with the users's passwords duplicated in it. 

If anyone other than the user and admin has access to this mail directory and passwd.pm file you are in a world of hurt.  These directories should never be accessible to anything other than the mail programs.

> If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's
> POP/IMAP password? (Yes, I've searched the boards for this, it must have been asked by now, but the search
> engine is coming up with nothing relevent)

David Harris has implemented ESMTP AUTH CRAM-MD5 for WinPMail and Mercury.  It does a SMTP authentication in accordance with RFCs 2554 and 2195.  It will also do the LOGIN and the strange MS AUTH=LOGIN.

There are some ISPs that advertise CRAM-MD5 but do not support it.  In this case you should try using Pegasus Mail v4.5 or later.  It has an option to fall back to the less secure options.

Do not use CRAM-MD5 authentication even if it is advertised  

The process of logging into the SMTP server to authenticate your identity can take a variety of forms: the server "advertises" the forms it understands, and Pegasus Mail looks through that list, choosing the most secure form it recognizes. Some forms are very "weak", in that they either transmit your credentials as clear text or in a form that can be easily broken, while other forms are "strong", in the sense that it is very difficult to work out your credentials simply by observing the exchange of data between the two programs. Unfortunately, one of the strongest forms of authentication, called CRAM-MD5, is commonly misconfigured on SMTP servers, even at quite reputable ISPs - the server will advertise that it supports it, but will actually fail any attempt to use it. Getting the ISP to realize that they are at fault is a lost cause in most cases - it's almost always easier simply to check this control, which tells Pegasus Mail never to use CRAM-MD5 for this server. You should be aware that you reduce the security of your connection by checking this control: CRAM-MD5 is the only commonly-used authentication form that offers reasonable security, and by disabling it, you force Pegasus Mail to use less secure methods... But sometimes you may decide that being able to send mail is more important than being able to do it securely. The choice is yours.

<p>> Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server?  This has eluded me > for years now.  I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is > by having a plain-text file with the users's passwords duplicated in it.  </p><p>If anyone other than the user and admin has access to this mail directory and passwd.pm file you are in a world of hurt.  These directories should never be accessible to anything other than the mail programs. </p><p>> If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's > POP/IMAP password? (Yes, I've searched the boards for this, it must have been asked by now, but the search > engine is coming up with nothing relevent) David Harris has implemented ESMTP AUTH CRAM-MD5 for WinPMail and Mercury.  It does a SMTP authentication in accordance with RFCs 2554 and 2195.  It will also do the LOGIN and the strange MS AUTH=LOGIN. There are some ISPs that advertise CRAM-MD5 but do not support it.  In this case you should try using Pegasus Mail v4.5 or later.  It has an option to fall back to the less secure options. Do not use CRAM-MD5 authentication even if it is advertised   The process of logging into the SMTP server to authenticate your identity can take a variety of forms: the server "advertises" the forms it understands, and Pegasus Mail looks through that list, choosing the most secure form it recognizes. Some forms are very "weak", in that they either transmit your credentials as clear text or in a form that can be easily broken, while other forms are "strong", in the sense that it is very difficult to work out your credentials simply by observing the exchange of data between the two programs. Unfortunately, one of the strongest forms of authentication, called CRAM-MD5, is commonly misconfigured on SMTP servers, even at quite reputable ISPs - the server will advertise that it supports it, but will actually fail any attempt to use it. Getting the ISP to realize that they are at fault is a lost cause in most cases - it's almost always easier simply to check this control, which tells Pegasus Mail never to use CRAM-MD5 for this server. You should be aware that you reduce the security of your connection by checking this control: CRAM-MD5 is the only commonly-used authentication form that offers reasonable security, and by disabling it, you force Pegasus Mail to use less secure methods... But sometimes you may decide that being able to send mail is more important than being able to do it securely. The choice is yours. </p>

How do I use ESMTP AUTH CRAM-MD5?  Is it a form of pop-before-smtp?  The white page docs I found on it just talk about encryption handshaking and nothing about SMTP user authentication.

I am setting up a Outlook (a pretty standard email program) as a mail program.  I want user 'Charlie', MyUncleCharlie@MyServer.com, to be able to send mail to anybody on any server using my server.  I don't want some random kid in China, li@china.com, being able to send spam to joe@schmoe.com by relaying off my server.  How can I accomplish this, other than by assigning Charlie a separate password from his POP password and putting it in the plantext file?  (and checking the box saying "only authenticated users may relay messages")  My configuration options in Outlook are no authentication, authenticate using the POP credentials, and authenticate using other credentials.  ESMTP AUTH CRAM-MD5 is not an option in Outlook (or any other mail program) as far as I can tell.

My concern with copying passwords into a text file isn't with someone else getting into it, it's that it has completely turned my family off to using my mail server since they can't set or change their SMTP password without telling it to me.  It seems odd that Mercury stores POP3/IMAP passwords encrypted, and has a module for users to change said password remotely, but requires a *different* password for SMTP, which is stored as a "username password" line in a plain-text file that can only be modified by the sysop.  Am I missing something?

 

Thanks!

 

<P>How do I use ESMTP AUTH CRAM-MD5?  Is it a form of pop-before-smtp?  The white page docs I found on it just talk about encryption handshaking and nothing about SMTP user authentication.</P> <P>I am setting up a Outlook (a pretty standard email program) as a mail program.  I want user 'Charlie', <A href="mailto:MyUncleCharlie@MyServer.com">MyUncleCharlie@MyServer.com</A>, to be able to send mail to anybody on any server using my server.  I don't want some random kid in China, <A href="mailto:li@china.com">li@china.com</A>, being able to send spam to <A href="mailto:joe@schmoe.com">joe@schmoe.com</A> by relaying off my server.  How can I accomplish this, other than by assigning Charlie a separate password from his POP password and putting it in the plantext file?  (and checking the box saying "only authenticated users may relay messages")  My configuration options in Outlook are no authentication, authenticate using the POP credentials, and authenticate using other credentials.  ESMTP AUTH CRAM-MD5 is not an option in Outlook (or any other mail program) as far as I can tell.</P> <P>My concern with copying passwords into a text file isn't with someone else getting into it, it's that it has completely turned my family off to using my mail server since they can't set or change their SMTP password without telling it to me.  It seems odd that Mercury stores POP3/IMAP passwords encrypted, and has a module for users to change said password remotely, but requires a *different* password for SMTP, which is stored as a "username password" line in a plain-text file that can only be modified by the sysop.  Am I missing something?</P> <P mce_keep="true"> </P> <P>Thanks!</P> <P mce_keep="true"> </P>

> How do I use ESMTP AUTH CRAM-MD5?  Is it a form of pop-before-smtp?
> The white page docs I found on it just talk about encryption
> handshaking and nothing about SMTP user authentication.
> I am setting up a Outlook (a pretty standard email program) as a
> mail program.  

Well Outlook does not do CRAM-MD5 so you will have to use the LOGIN command.  You can see what is happening if you turn on session logging.  You can also do this via telnet.

> I want user 'Charlie', MyUncleCharlie@MyServer.com,
> to be able to send mail to anybody on any server using my server.  I
> don't want some random kid in China, li@china.com, being able to
> send spam to joe@schmoe.com by relaying off my server.  How can I
> accomplish this, other than by assigning Charlie a separate password
> from his POP password and putting it in the plantext file?  (and
> checking the box saying "only authenticated users may relay
> messages")  

Go to the MercuryS setup and select the 'connection control' tab and check the first three items.  This will stop all relaying except for those using a proper username and password that allows replaying.  This does NOT have to be you normal POP3 username and password, it's whatever you use when you setup the ESMTP AUTH usernames and password.


> My configuration options in Outlook are no authentication, authenticate
> using the POP credentials, and authenticate using other credentials.
> ESMTP AUTH CRAM-MD5 is not an option in Outlook (or any other mail
> program) as far as I can tell.

Agreed, it does not use CRAM-MD5, it only does the simple LOGIN.  I use a different username and password from that required for POP3 access since I do not want that username and password being used for this.

> My concern with copying passwords into a text file isn't with
> someone else getting into it, it's that it has completely turned my
> family off to using my mail server since they can't set or change
> their SMTP password without telling it to me.  It seems odd that
> Mercury stores POP3/IMAP passwords encrypted, and has a module for
> users to change said password remotely, but requires a *different*
> password for SMTP, which is stored as a "username password" line in
> a plain-text file that can only be modified by the sysop.  Am I
> missing something?

Sure, use a different username and password for all of them to use.  I use a mix of numbers and letters like One23Four for the username and Five678Nine for the password.   You'll need to change it every so often so that the spammers don't get this, especially since Windows and Lookout users seem to get their credentials captured pretty often.


> How do I use ESMTP AUTH CRAM-MD5?  Is it a form of pop-before-smtp? > The white page docs I found on it just talk about encryption > handshaking and nothing about SMTP user authentication. > I am setting up a Outlook (a pretty standard email program) as a > mail program.   Well Outlook does not do CRAM-MD5 so you will have to use the LOGIN command.  You can see what is happening if you turn on session logging.  You can also do this via telnet. > I want user 'Charlie', MyUncleCharlie@MyServer.com, > to be able to send mail to anybody on any server using my server.  I > don't want some random kid in China, li@china.com, being able to > send spam to joe@schmoe.com by relaying off my server.  How can I > accomplish this, other than by assigning Charlie a separate password > from his POP password and putting it in the plantext file?  (and > checking the box saying "only authenticated users may relay > messages")   Go to the MercuryS setup and select the 'connection control' tab and check the first three items.  This will stop all relaying except for those using a proper username and password that allows replaying.  This does NOT have to be you normal POP3 username and password, it's whatever you use when you setup the ESMTP AUTH usernames and password. > My configuration options in Outlook are no authentication, authenticate > using the POP credentials, and authenticate using other credentials. > ESMTP AUTH CRAM-MD5 is not an option in Outlook (or any other mail > program) as far as I can tell. Agreed, it does not use CRAM-MD5, it only does the simple LOGIN.  I use a different username and password from that required for POP3 access since I do not want that username and password being used for this. > My concern with copying passwords into a text file isn't with > someone else getting into it, it's that it has completely turned my > family off to using my mail server since they can't set or change > their SMTP password without telling it to me.  It seems odd that > Mercury stores POP3/IMAP passwords encrypted, and has a module for > users to change said password remotely, but requires a *different* > password for SMTP, which is stored as a "username password" line in > a plain-text file that can only be modified by the sysop.  Am I > missing something? Sure, use a different username and password for all of them to use.  I use a mix of numbers and letters like <b>One23Four</b> for the username and <b>Five678Nine</b> for the password.   You'll need to change it every so often so that the spammers don't get this, especially since Windows and Lookout users seem to get their credentials captured pretty often.
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft