Quote:
Originally Posted by Bill Brock  My take on this is the client and server make an SSL connection at which point all communication is encrypted, including the authentication. However, if the authentication takes place before an SSL connection is made then the login would be unencrypted. I believe the former is the case and and that is why when you specify no plain text authentication it works when the SSL connection only is specified.
If my take on this is wrong then I would appreciate someone correcting me.
If you specify using encrypted authentication in , say, Outlook Express, the login fails because OE chokes at the AUTH command. IMHO. |
Well here's the problem. While it is encrypted already if the user connects using an SSL connection, there is nothing to enforce that. They could just as easily be connecting over port 25. But if there was a non-clear-text authentication method going on, then it would be better... or at the very least, SMTP AUTH refusing to work over a non SSL link.