Re: Properly configuring SMTP Service

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

In Outlook Express, on the 'Server' tab of Account Properties, there
is a checkbox item, "My server requires authentication" with a
'Settings' dialog that lets you specify the username and password
information (labeled, 'Logon Information'). Is this where one
specifies the AUTH LOGIN details in Outlook Express?

If 'Use SPA' is unchecked, you'll use AUTH LOGIN. If it's checked,
you'll use AUTH GSSAPI NTLM.

It seems to me the last time I tried this for my Grandfather's
email, it either caused problems for local accounts, or didn't allow
him to relay, or something (I've tried so many different
configurations now, I don't remember which problems were associated
with which configuration!). However, using this method concerns me
because everything I've read says *not* to use it due to the fact
that usernames and passwords are transmitted in clear text, so I am
not sure this is the way I want to go.

AUTH LOGIN does not encrypt credentials and passes message data in
plain text.

AUTH GSSAPI NTLM encrypts credentials and passes message data in plain
text.

Obviously, preventing the compromise of usernames + passwords is very
important. But remember that message data can be just as vital
(especially when that data _contains_ usernames and passwords) and the
only way to avoid that exposure is to use SMTP + STARTTLS, SMTPS, or
client PKI certificates. When you use one of the full-session
encryption methods, this can cover authentication as well (even if the
auth exchange is LOGIN or PLAIN, there's a protective SSL session
around it).

If SPA is working for you, keep it working! But in most ad hoc
scenarios it will not function, because it is designed for MS mail
clients with machines + users in the same domain as the mailserver.

Is it your recommendation then to *disable* 'Integrated Windows
Auth' and *enable* only 'Basic Auth'? Is this the way most ISP's
provide email to their customers? If so, how do they deal with
concerns of security (sniffing clear text passwords, etc.)?

Most ISPs don't use vanilla IIS SMTP on their mail submission boxes.
And other SMTP servers support non-proprietary SMTP authentication
mechanisms such as AUTH CRAM-MD5, so ISPs don't have to choose between
supporting plain-text or supporting only Microsoft clients.

--Sandy


.

Relevant Pages

  • Re: User authorisation
    ... Yes I do get a indows asking for authentication, ... trying different usernames and passwords I've determind ... that the member server only accepts a local logon(on the ...
    (microsoft.public.windows.server.general)
  • Re: OWA Forms Based Authentication
    ... Have you enabled SSL for OWA? ... > based Authentication but when i then go and browse to the ... > to enter a user name and password but now the usernames ... > and passwords in the box works fine. ...
    (microsoft.public.exchange.admin)
  • OWA Forms Based Authentication
    ... Im trying to setup forms based authentication but have ... and then the virtual exchange server and enable Forms ... to enter a user name and password but now the usernames ... and passwords in the box works fine. ...
    (microsoft.public.exchange.admin)
  • Re: Bypassing forms authentication for one site if coming from another. How?
    ... >> login.aspx and use the same database to check usernames and passwords. ... >> is a link on Website A to get to Website B. The user can only get to this ... > See the following: Forms Authentication Across Applications ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Parent controls
    ... my children to run is there a way that I can stop them from running certain programs by using different usernames and passwords. ... They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. ...
    (microsoft.public.windowsxp.security_admin)