cancel
Showing results for 
Search instead for 
Did you mean: 

Authenticated SMTP and protecting the account password

FIXED
glocal
Rising Star
Posts: 128
Thanks: 12
Registered: ‎11-09-2007

Authenticated SMTP and protecting the account password

Am I right thinking that using authenticated SMTP to send email while I am away from my landline connection means I will have to transmit my main account password unencrypted? I know PN has been refusing to offer encrypted POP3/IMAP/SMTP logon for over a decade. What I am asking is, is there a way to transmit an unencrypted password that is not my main account password which could be used to change my whole setup remotely?
5 REPLIES 5
MisterW
Superuser
Superuser
Posts: 11,416
Thanks: 3,573
Fixes: 273
Registered: ‎30-07-2007

Re: Authenticated SMTP and protecting the account password

Fix

@glocal  Yes there is. The username & pw used to authenticate can be any mailbox & it's associated password.

I've suggested in the past that one creates a mailbox called smtp with it's own password purely for smtp authentication. Use 'accountname+smtp' as the username and the password as that you've created for the smtp mailbox in the email client smtp authentication settings

 

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

glocal
Rising Star
Posts: 128
Thanks: 12
Registered: ‎11-09-2007

Re: Authenticated SMTP and protecting the account password

This works. Good idea and thanks. A leaked SMTP password now only gives access to sending email with our credentials. Account password and fetching email passwords remain protected. Not using the default mailbox to collect email completely protects the account password. But the POP3/IMAP passwords remain exposed.

It is ridiculous really that PN won't do something about this after so many years. If they don't want to offer password encryption for the mailservers, they should at least make sure that the account password is not exposed in this way with the user not even realising the risks.

Townman
Superuser
Superuser
Posts: 20,176
Thanks: 8,223
Fixes: 104
Registered: ‎22-08-2007

Re: Authenticated SMTP and protecting the account password

What is one trying to protect here, for the "fetching" credentials are sent in plain text too. Not using the default mailbox and not accessing SMTP using the account name and password, does indeed offer some protection against disclosing the account details, but thereafter one might as well access a secondary mailbox & SMTP with the same accountname+mailboxname and associated password. Or am I missing something here?

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

MisterW
Superuser
Superuser
Posts: 11,416
Thanks: 3,573
Fixes: 273
Registered: ‎30-07-2007

Re: Authenticated SMTP and protecting the account password

You're not missing anything, it purely protects the main account password. The problem is that AFAIK the standard instructions for authenticated SMTP say that the main account details should be used when in fact any mailbox details can be used.

Superusers are not staff, but they do have a direct line of communication into the business in order to raise issues, concerns and feedback from the community.

glocal
Rising Star
Posts: 128
Thanks: 12
Registered: ‎11-09-2007

Re: Authenticated SMTP and protecting the account password

Not using the default account mailbox for incoming or outgoing email protects the account password against exposure while away from your landline connection. One way to do this is to use only account+mailboxname mailboxes for incoming/outgoing email.

There is no way to avoid exposing the password for a mailboxname if you use it, but I think you can at least connect to PN's servers via a trusted provider you can connect to securely. This way at least the vulnerable connection is between providers, reducing the risk of casual wifi-level sniffing. Not that google is to be trusted, but gmail allows authenticated SMTP access which you can use with any From address, and multipop incoming email collection. I am sure there will be more privacy-conscious email providers doing something similar.