I love to go and see what I can get away with using telnet. I decided to send and check email from the command line.
Since I consider my test location to be low risk, I decided to try to send my password plaintext over port 25. I was a moderately surprised that it did work, as seen below in the typescript. Now imagine that if I was hosting for more people than just a few family members, any arbitrary user could, perhaps out of ignorance or convenience, be choosing to send their password plaintext. In the event of someone sniffing the authentication data, they would be able to transmit emails using a shell script, which concerns me. There are ports that exist for encrypted transfer of this data (such as 465, 587). What is the current state of the art for preventing the user's client software from being able to do this (sending their authentication details plaintext)? Is it safe to simply block this port external to the machine, for example, in the router? Thanks... $ telnet example.com 25 Trying 87.138.xxx.yyy... Connected to example.com. Escape character is '^]'. 220 example.com ESMTP Postfix (Ubuntu) helo example 250 example.com ehlo example 250-example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN AUTH LOGIN 334 VXNlcm5hbWU6 dXNlckBleGFtcGxlLm9yZw== 334 UGFzc3dvcmQ6 cGFzc3dvcmQ= 235 2.7.0 Authentication successful mail from: <m...@example.org> 250 2.1.0 Ok rcpt to: <rich.gre...@hushmail.com> 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> From: xxxx <m...@example.org> To: Rich Greder <rich.gre...@hushmail.com> Subject: Testing This is a test. . 250 2.0.0 Ok: queued as BFDEB3FE30 quit 221 2.0.0 Bye Connection closed by foreign host.
