Server: POP before SMTP

POP before SMTP was a hack to prove your identity to a mail server in use nearly twenty years ago. Postman doesn’t support it. Neither has anyone else on the Internet since 2002, AFAIK.

Did you setup the mail server yourself? I think you need to fix it’s settings.

Jason, no I did not. Thank you vey much for the information. Going to follow up this issue.

So what is the alternative? To disable that option? Or to reverse that, meaning SMTP before POP (if that ever has been an option)?

In any case, I will asked the server support for it.

I guess if I’m using your plugin; at least for WP, that mentioned issue wouldn’t be one.

Again, I’m going to fix that strange security issue very soon.

Thanks

— Rainer

So what is the alternative? To disable that option?

SMTP has proper authentication. Plain, Login, CRAM-MD5 and OAuth 2.0. The mail server you are attempting to connect to should enable one (or all) of those.

Maybe it is obvously, but thanks to let me know. I’m sure I do have proper server security installed, not just sure now which one.

As for your plugin, I tried plain, login and OAuth 2.o – and all of them worked. Not sure what kind of security CRAM-MD5 is. It looks like an encryption but so is OAuth and login.

Looks like I need to make the tradeoff between speed and security (encryption method) as this is always the case.

Keep on with the good work!

— Rainer

Encryption of the data is provided by either SMTPS or STARTTLS. Additional encryption of your password is provided only by CRAM-MD5. OAuth 2.0 uses tokens instead of passwords. Plain/Login uses no encryption, and if you use Plain/Login without SMTPS or STARTTLS, your password is exposed.

As for speed + security… even if you go full security with SMTP you won’t notice a speed difference. Computers are that fast now.

Cheers

Jason, thanks for clarification. It helped.
– Rainer

P.S. I had the feeling that OAuth 2.0 was much slowlier than STARTTLS, but perhaps it was only my computer. And as far as OAuth 2.0 goes, I found it difficult to setup (that is, to get the information of the tokens easily from Google’s site). If you could automate this, that would be great.

But no complains! You gave some hints and I got what I wanted.
— Rainer

Automating generating the token would defeat the purpose – it is supposed to be a manual process and not something a program can do.

I do agree with you that google’s interface for creating the client ID certainly could be easier.

Perhaps not fully automatically, but semi-automatically — presenting the site/forms etc but still entering the requested information manually. But I guess that could be still a kind of security breach.
— Rainer