Support for APOP

How can I enable VM pro to support APOP? i.e. as per this:

"Short for Authenticated Post Office Protocol, it is similar to the POP protocol except that APOP enables your password to be encrypted while being transmitted over the network. Using POP mail, when you authenticate your username and password in your e-mail client, your password is sent over the network in plain text. If your e-mail client uses APOP, then the password is encrypted while being transmitted. APOP prevents hackers from seeing your password information with sniffer programs "

My VM Pro box on CentOS rejects APOP by default it seems. So e.g. Thunderbird complains

“This POP3 server does not seem to support encrypted passwords. If you just set up the account, please try changing to ‘Password, transmitted insecurely’ as the ‘Authentication method’ in the ‘Account Settings | Server settings’. If it used to work and now suddenly fails, this is a common scenario how someone could steal your password.”

That doesn’t seem good!

The plot thickens…

A customer of mine using Apple Mail migrated over to VM from Plesk. She reported that she could not access mail. Then she disabled APOP - and it worked.

I then see on Webmin that under servers >> dovecot >> user & login options >> Authentication methods, “plain text” appears to be selected (but not APOP)

OK… so I try some tests of my own with Thunderbird and Windows Live Mail.

In Thunderbird I set “Authentication method : encrypted password”. I would expect that NOT to work with my VM setup - but it does!

Likewise in Live Mail I set “Log on using authenticated POP (APOP)”, and ditto - that works, when I’d expect it not to!



Yeah, Dovecot may not come with APOP enabled by default.

However, APOP is different than other methods that encrypt the password, it’s possible that Thunderbird is using a different protocol for achieving that.

Note though that APOP isn’t really necessary if logging in over a secure connection, which you could achieve by using POP3 with SSL, which defaults to port 995.

So, using plain text passwords along with POP3 over SSL is actually quite secure, which I think is why Dovecot doesn’t enable APOP by default.

You could of course enable that option though if you have users wanting to use that!



I see what you mean - APOP perhaps is not worth going with.

But surely - to use TLS or SSL with ports 993 & 995 (IMAP & POP) each virtual server would need its own SSL certificate, no?

Or is that email clients don’t care about that? The communication gets encrypted - but unlike SSL with a web page, the identity of the mail server is not guaranteed by a certificate.


Well, a common way of handling that issue is to pick a central domain for your server, buy an SSL certificate for that central domain – and have your users use that one domain to connect to your server.

So, you could buy an SSL cert for, and then have all your users use for sending and receiving email (and you can do the same thing elsewhere – have them use that domain for accessing Virtualmin, webmail, and so forth).


I’m familiar with how to install an SSL certificate for Apache. How is it done for email?

By the way - I do believe there is something problematic with iPhones. I have a customer with an iPhone using POP and there seems to be no way it will work with any port or setup combination without complaining that “APOP” is not supported by the server. I then went to Webmin to try to enable Docevot APOP at “servers >> dovecot >> user & login options >> Authentication methods”, but Dovecot refused to start with both "plain text and “apop” selected. In this case we’ve switched him to IMAP - & problem solved. But all the same it might be nice to be able to offer APOP?

I’m familiar with how to install an SSL certificate for Apache. How is it done for email?

Once you have SSL setup for a given Virtual Server – you can then go into Server Configuration -> Manage SSL Certificates, and you’ll see a bunch of buttons for copying that SSL cert to other components.

You can copy it to Webmin, Postfix, Dovecot, and Usermin.