Re: IIS 6.0 POP3 Server won't accept SPA.
From: Ken Schaefer (kenREMOVE_at_THISadopenstatic.com)
Date: 11/23/04
- Next message: Jeff Cochand: "smtp install on windows server 2003 from MSDN DVD"
- Previous message: Jonathan Maltz [MS-MVP]: "Re: nntp mirror"
- In reply to: rg: "IIS 6.0 POP3 Server won't accept SPA."
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 23 Nov 2004 22:49:18 +1100
Hi,
A couple of quick points:
- SMTP and POP3 authentication are different, so enabling one authentication
mechanism for one service does not automatically affect the other
- SPA is basically a form of NTLM authentication. NTLM authentication is a
form of challenge/response authentication used by Windows systems for
Windows usernames/passwords. Basically the server sends a challenge, and the
client takes this challenge and performs a number of hashing functions on
the user's password + this challenge, and sends the result back to the
server. The server performs compares the result to what's stored in the
Windows Security Accounts Manager (SAM) database, and if there's a match,
the user is authenticated. This type of authentication is not applicable to
"encrypted file" POP3 authentication, because there's no way that the
process on client and server could be repeated.
- POP3 authentication is pretty much insecure no matter what mail server you
are using. There isn't really any standard for encrypting the
username/password and sending it to the server and having the server decrypt
it. The only other way of securely sending a password is to hash the
password, but that requires (a) the client to support some kind of hashing
mechanism and (b) the server having a stored copy of the hash or the server
having the original plain text password so that it can repeat the hash and
compare it with what the client sends. However, such hashing mechanisms are
not supported by most mail clients.
Cheers
Ken
"rg" <rg@nospam.please> wrote in message
news:eOq6Je7zEHA.3452@TK2MSFTNGP14.phx.gbl...
>I set up SMTP to accept SPA. I read that when SMTP is set to use SPA, the
> POP3 Server is automatically setup to use it, also.
>
> But, when I use Encrypted Password File authentication, the SPA option for
> POP3 disappears. Since the above mentioned docs did not address this, I
> take
> it at its word, that POP3 is accepting SPA. BUT IT DOESN'T! Why not?
>
> Outlook Express sends the message to the SMTP server using SPA, using the
> credentials I set up for the Encrypted File account mailbox, but POP3 only
> responds to non-SPA use of those credentials. Unless Outlook is secretly
> using my local credentials...
>
> But, philosophically, why would the SPA checkbox option be disable in POP3
> when using Encrypted File? When setting up a bulk email server, don't ALL
> users deserve the highest level of security available?
>
> Thanks!
>
>
- Next message: Jeff Cochand: "smtp install on windows server 2003 from MSDN DVD"
- Previous message: Jonathan Maltz [MS-MVP]: "Re: nntp mirror"
- In reply to: rg: "IIS 6.0 POP3 Server won't accept SPA."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
