all groups > iis smtp nntp > november 2004 >
You're in the

iis smtp nntp

group:

IIS 6.0 POP3 Server won't accept SPA.


IIS 6.0 POP3 Server won't accept SPA. rg
11/21/2004 5:47:49 AM
iis smtp nntp:
I set up SMTP to accept SPA. I read that when SMTP is set to use SPA, the
POP3 Server is automatically setup to use it, also.

But, when I use Encrypted Password File authentication, the SPA option for
POP3 disappears. Since the above mentioned docs did not address this, I take
it at its word, that POP3 is accepting SPA. BUT IT DOESN'T! Why not?

Outlook Express sends the message to the SMTP server using SPA, using the
credentials I set up for the Encrypted File account mailbox, but POP3 only
responds to non-SPA use of those credentials. Unless Outlook is secretly
using my local credentials...

But, philosophically, why would the SPA checkbox option be disable in POP3
when using Encrypted File? When setting up a bulk email server, don't ALL
users deserve the highest level of security available?

Thanks!

Re: IIS 6.0 POP3 Server won't accept SPA. Ken Schaefer
11/23/2004 10:49:18 PM
Hi,

A couple of quick points:
- SMTP and POP3 authentication are different, so enabling one authentication
mechanism for one service does not automatically affect the other

- SPA is basically a form of NTLM authentication. NTLM authentication is a
form of challenge/response authentication used by Windows systems for
Windows usernames/passwords. Basically the server sends a challenge, and the
client takes this challenge and performs a number of hashing functions on
the user's password + this challenge, and sends the result back to the
server. The server performs compares the result to what's stored in the
Windows Security Accounts Manager (SAM) database, and if there's a match,
the user is authenticated. This type of authentication is not applicable to
"encrypted file" POP3 authentication, because there's no way that the
process on client and server could be repeated.

- POP3 authentication is pretty much insecure no matter what mail server you
are using. There isn't really any standard for encrypting the
username/password and sending it to the server and having the server decrypt
it. The only other way of securely sending a password is to hash the
password, but that requires (a) the client to support some kind of hashing
mechanism and (b) the server having a stored copy of the hash or the server
having the original plain text password so that it can repeat the hash and
compare it with what the client sends. However, such hashing mechanisms are
not supported by most mail clients.

Cheers
Ken


[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.
Don't see what you're looking for? Try a search.
View other messages in the iis smtp nntp group.
AddThis Social Bookmark Button
View Other Months
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
home · blog · groups Questions? Comments? Contact the dn