> Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server? This has eluded me
> for years now. I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is
> by having a plain-text file with the users's passwords duplicated in it.
If anyone other than the user and admin has access to this mail directory and passwd.pm file you are in a world of hurt. These directories should never be accessible to anything other than the mail programs.
> If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's
> POP/IMAP password? (Yes, I've searched the boards for this, it must have been asked by now, but the search
> engine is coming up with nothing relevent)
David Harris has implemented ESMTP AUTH CRAM-MD5 for WinPMail and Mercury. It does a SMTP authentication in accordance with RFCs 2554 and 2195. It will also do the LOGIN and the strange MS AUTH=LOGIN.
There are some ISPs that advertise CRAM-MD5 but do not support it. In this case you should try using Pegasus Mail v4.5 or later. It has an option to fall back to the less secure options.
Do not use CRAM-MD5 authentication even if it is advertised
The process of logging into the SMTP server to authenticate your identity can take a variety of forms: the server "advertises" the forms it understands, and Pegasus Mail looks through that list, choosing the most secure form it recognizes. Some forms are very "weak", in that they either transmit your credentials as clear text or in a form that can be easily broken, while other forms are "strong", in the sense that it is very difficult to work out your credentials simply by observing the exchange of data between the two programs. Unfortunately, one of the strongest forms of authentication, called CRAM-MD5, is commonly misconfigured on SMTP servers, even at quite reputable ISPs - the server will advertise that it supports it, but will actually fail any attempt to use it. Getting the ISP to realize that they are at fault is a lost cause in most cases - it's almost always easier simply to check this control, which tells Pegasus Mail never to use CRAM-MD5 for this server. You should be aware that you reduce the security of your connection by checking this control: CRAM-MD5 is the only commonly-used authentication form that offers reasonable security, and by disabling it, you force Pegasus Mail to use less secure methods... But sometimes you may decide that being able to send mail is more important than being able to do it securely. The choice is yours.
<p>&gt; Pegasus has the POP-Before-SMTP authentication method - how do I set this up on my Mercury server?&nbsp; This has eluded me
&gt; for years now.&nbsp; I find it hard to believe that the only way to stop your mail server from being a free relay for spammers is
&gt; by having a plain-text file with the users's passwords duplicated in it.&nbsp; </p><p>If anyone other than the user and admin has access to this mail directory and passwd.pm file you are in a world of hurt.&nbsp; These directories should never be accessible to anything other than the mail programs.
</p><p>&gt; If not pop-before-smtp authentication, is there a way to have the SMTP authentication password be the same as the user's
&gt; POP/IMAP password? (Yes, I've searched the boards for this, it must have been asked by now, but the search
&gt; engine is coming up with nothing relevent)
David Harris has implemented ESMTP AUTH CRAM-MD5 for WinPMail and Mercury.&nbsp; It does a SMTP authentication in accordance with RFCs 2554 and 2195.&nbsp; It will also do the LOGIN and the strange MS AUTH=LOGIN.
There are some ISPs that advertise CRAM-MD5 but do not support it.&nbsp; In this case you should try using Pegasus Mail v4.5 or later.&nbsp; It has an option to fall back to the less secure options.
Do not use CRAM-MD5 authentication even if it is advertised &nbsp;
The process of logging into the SMTP server to authenticate your identity can take a variety of forms: the server "advertises" the forms it understands, and Pegasus Mail looks through that list, choosing the most secure form it recognizes. Some forms are very "weak", in that they either transmit your credentials as clear text or in a form that can be easily broken, while other forms are "strong", in the sense that it is very difficult to work out your credentials simply by observing the exchange of data between the two programs. Unfortunately, one of the strongest forms of authentication, called CRAM-MD5, is commonly misconfigured on SMTP servers, even at quite reputable ISPs - the server will advertise that it supports it, but will actually fail any attempt to use it. Getting the ISP to realize that they are at fault is a lost cause in most cases - it's almost always easier simply to check this control, which tells Pegasus Mail never to use CRAM-MD5 for this server. You should be aware that you reduce the security of your connection by checking this control: CRAM-MD5 is the only commonly-used authentication form that offers reasonable security, and by disabling it, you force Pegasus Mail to use less secure methods... But sometimes you may decide that being able to send mail is more important than being able to do it securely. The choice is yours.
</p>