Hotmail Plus -secure password authentication

[Victek]

I have my Hotmail Plus account setup to use POP3 in WLM and it's working,
but I have a question about authentication. On the account
properties/server tab there are three log on options:

1. log on using clear text authentication
2. log on using secure password authentication
3. log on using authenticated POP (APOP)

The first option - clear text authentication - works, but the other two do
not. It seems odd that SSL is used for sending and receiving email, but not
for logging on. Is there a way to use the "log on using secure password
authentication" feature?

[N. Miller]

"Secure Password Authentication" is a special kind of authentication
involving an RSA key; assuming I understand how it works. It is rarely used.
I believe CompuServe Classic required it. And some enterprise solutions
using the MS Exchange server may use it. Most Email Service Providers (such
as Windows Live Hotmail) do not require it.

--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum

[Victek]

>> I have my Hotmail Plus account setup to use POP3 in WLM and it's working,
>> but I have a question about authentication. On the account
>> properties/server tab there are three log on options:
>>
>> 1. log on using clear text authentication
>> 2. log on using secure password authentication
>> 3. log on using authenticated POP (APOP)
>>
>> The first option - clear text authentication - works, but the other two
>> do
>> not. It seems odd that SSL is used for sending and receiving email, but
>> not
>> for logging on. Is there a way to use the "log on using secure password
>> authentication" feature?
>
> "Secure Password Authentication" is a special kind of authentication
> involving an RSA key; assuming I understand how it works. It is rarely
> used.
> I believe CompuServe Classic required it. And some enterprise solutions
> using the MS Exchange server may use it. Most Email Service Providers
> (such
> as Windows Live Hotmail) do not require it.
>
>

My concern is it sounds like my account password is transmitted in clear
text and could be captured by someone snooping if I use email on an open
Wi-Fi network. It seems pointless to encrypt the sending and receiving
process and not the log on password.

[Michael Santovec]

I'm not absolutely certain, but I think the SSL has you covered. It
should encrypt everything between your mail program and the mail server
including the logon process.

The SPA and APOP were developed before SSL became common. SPA and APOP
encrypt the logon process but not the e-mail contents being transferred.
As far as I know, very few mail servers support either of those.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm

"Victek" <Vic...@invalid.invalid> wrote in message
news:4AC704D1-6E0B-41B1...@microsoft.com...

[N. Miller]

The reason for SSL is to encrypt the transaction; your password is
definitely not sent in the clear. AFAIK, SPA is rarely used. If a mail
server does not support SPA, using it in the client is not only pointless,
it just won't work.

[Victek]

Thanks for the reply. It helps to know that the encrypted connection is
established before the password is sent.

[Danny Horne]

I don't know anything about Hotmail Plus, but use Sendmail for SMTP &
Dovecot for IMAP. When I send mail the username / password seems to be
encrypted, but when connecting to the IMAP server it definitely isn't. I
fired up Wireshark on my PC & it showed my username / password being sent in
clear text when connecting to my IMAP server.

Anyone know what encryption WLM is capable of using?

"Victek" <Vic...@invalid.invalid> wrote in message

news:A3F48F9E-EC67-44F4...@microsoft.com...

[Michael Santovec]

Look in WLM at Tools, Accounts, Mail, Properties, Advanced. Is SSL
checked for the server? That controls whether or not encryption is used
in communicating with the mail server. The server also has to support
SSL for this to be used.

SSL = Secure Sockets Layer

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm

"Danny Horne" <da...@thelake.me> wrote in message
news:loOdnWetNPBxIgvU...@posted.plusnet...

[N. Miller]

On Sat, 14 Feb 2009 12:58:15 -0000, Danny Horne wrote:

> I don't know anything about Hotmail Plus, but use Sendmail for SMTP &
> Dovecot for IMAP. When I send mail the username / password seems to be
> encrypted, but when connecting to the IMAP server it definitely isn't. I
> fired up Wireshark on my PC & it showed my username / password being sent in
> clear text when connecting to my IMAP server.
>
> Anyone know what encryption WLM is capable of using?

WLM will use TLS on port 25, when the message submission server uses TLS.
This can't be configured in WLM, and, AFAIK, only works on port 25 (e.g.,
TLS on port 587 is not possible with WLM)>

WLM can be configured to use SSL with any port; but only works if the
message submission server uses SSL. Otherwise, it won't work.

WLM can be configured to use SSL with any port for email retrieval. But SSL
with IMAP usually requires using port 993. If your IMAP server doesn't
support port 993, it probably doesn't support SSL. Telling WLM to use SSL in
this case will result in a failure.

Security is driven by the server, and the client only follows the
requirements of the server. If the server can't establish a secure
connection, all of the security options in the client are useless.

[Danny Horne]

Thanks for the answers. I had a read up about Dovecot & now have an SSL
connection for IMAP. My SMTP connection is using the LOGIN mechanism, which
AFAICT is encrypted (couldn't see any clear text passwords being sent after
a Wireshark capture).

[...winston]

Norman or Michael,

Can either of you elaborate on why smtp.live.com and SSL function fine in WLM, OE, WM, Outlook 03, and other 3rd party email
clients as opposed to Outlook 2007 which requires the use of TLS on port 25 or 587(for smtp.live.com) ?

--
...winston
ms-mvp mail

"N. Miller" <anon...@msnews.aosake.net> wrote in message news:1d6cea4pkxr2z$.dlg@msnews.aosake.net...

[Michael Santovec]

You may need to take that up with the Outlook group. I know very little
about Outlook.

--

Mike - http://pages.prodigy.net/michael_santovec/techhelp.htm

"...winston" <winst...@gmail.com> wrote in message
news:ePi6tB#jJHA...@TK2MSFTNGP03.phx.gbl...

[...winston]

Lol..it took me almost a year to get them to acknowledge that TLS in Outlook 2007 instead of SSL was required for pop3 access for
Hotmail Plus or Msn Legacy accounts..so if I hear anything, I'll let you know around Christmas..<g>

--
...winston
ms-mvp mail

"Michael Santovec" <michael_...@prodigy.net> wrote in message news:#ghSxcHk...@TK2MSFTNGP03.phx.gbl...

[N. Miller]

On Sun, 15 Feb 2009 21:12:13 -0500, ...winston wrote:

> Norman or Michael,
>
> Can either of you elaborate on why smtp.live.com and SSL function fine in WLM, OE, WM,
> Outlook 03, and other 3rd party email clients as opposed to Outlook 2007 which requires
> the use of TLS on port 25 or 587(for smtp.live.com) ?

The message submission server actually controls the secure connection; if
the client can't utilize the security protocols implemented by the server,
the connection will fail.

AFAIK, all versions of MS email clients, other than Outlook 2007,
automatically apply TLS to port 25, if the server requires TLS. MSOE and WLM
12.0.1606 do not automatically apply TLS to port 587, nor can they be
manually configured to apply TLS (based on empirical evidence of trying to
connect to 'smtp.gmail.com:587' with MSOE and WLM).

I would guess that MS Outlook 2007 has finally added the option to manually
select TLS when changing to another message submission port than port 25.
Most other third party clients, from Mozilla Thunderbird to Pegasus Mail,
have long had that capability.