I have been looking at APOP for external authentication on POP3 servers.
In looking at this I found that the "shared secret", which is usually the
users login password, is basically stored in the clear. It is run through
a program called "obscure" (qpopper) which just does an exclusive "OR" of
each character with the hex value "ff". Does this sit weird with anyone
I also wonder how this plays out with the gauntlet POP3 proxy as well. I
know that they store some psudo-APOP information. Is this also effectively
stored in clear text?
What other methods (if any) are people using to "authenticate" external
pop clients through a firewall?
* Philip C. Cox | Quote of the Day: *
* pcox @
gov | "Character : the decisions a person *
* PAGER: (510) 355-5222 | makes when the choice is not *
* VOICE: (510) 294-3149 | obvious." *