From 0e7ff9cb9b8483e188febe76ccffefb66d75c97e Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 6 Apr 2007 18:01:39 +0000 Subject: Flank APOP by comments about it being insecure. svn path=/branches/BRANCH_6-3/; revision=5084 --- fetchmail-FAQ.html | 11 ++++++----- fetchmail.man | 6 +++--- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 034a4111..f6b26e93 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -627,11 +627,12 @@ autoprobe facility will detect it and tell you if you have it). If you see something in the greeting line that looks like an angle-bracket-enclosed Internet address with a numeric left-hand part, that's an APOP challenge (it will vary each time you log in). -You can register a secret on the host (using -popauth(8) or some program like it). Specify the +For some hosts, you need to register a secret on the host (using +popauth(8) or some program like that). Specify the secret as your password in your .fetchmailrc; it will be used to encrypt the current challenge, and the encrypted form will be sent -back the the server for verification.

+back the the server for verification. Note that APOP is no longer +considered secure since March 2007.

Alternatively, you may have Kerberos available. This may require you to set up some magic files in your home directory on your @@ -647,8 +648,8 @@ present by looking for AUTH=KERBEROS_V4 in the CAPABILITY response.

If you are fetching mail from a CompuServe POP3 account, you can -use their RPA authentication (which works much like APOP). See I1 for details. If you are fetching mail from +use their RPA authentication. See I1 for details. +If you are fetching mail from Microsoft Exchange using IMAP, you will be able to use NTLM.

Your POP3 server may have the RFC1938 OTP capability to use diff --git a/fetchmail.man b/fetchmail.man index 62cd3f07..dbeedbcd 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -1057,7 +1057,7 @@ challenge conforming to RFC1938, \fIfetchmail\fR will use your password as a pass phrase to generate the required response. This avoids sending secrets over the net unencrypted. .PP -Compuserve's RPA authentication (similar to APOP) is supported. If you +Compuserve's RPA authentication is supported. If you compile in the support, \fIfetchmail\fR will try to perform an RPA pass-phrase authentication instead of sending over the password en clair if it detects "@compuserve.com" in the hostname. @@ -2057,7 +2057,7 @@ Legal authentication types are 'any', 'password', 'kerberos', (only for POP3), 'ntlm', 'ssh', 'external' (only IMAP). The 'password' type specifies authentication by normal transmission of a password (the password may be -plain text or subject to protocol-specific encryption as in APOP); +plain text or subject to protocol-specific encryption as in CRAM-MD5); \&'kerberos' tells \fIfetchmail\fR to try to get a Kerberos ticket at the start of each query instead, and send an arbitrary string as the password; and 'gssapi' tells fetchmail to use GSSAPI authentication. @@ -2757,7 +2757,7 @@ RFC 1081, RFC 1225, RFC 1460, RFC 1725, RFC 1734, RFC 1939, RFC 1957, RFC 2195, RFC 2449. .TP 5 APOP: -RFC 1460, RFC 1725, RFC 1939. +RFC 1939. .TP 5 RPOP: RFC 1081, RFC 1225. -- cgit v1.2.3