Bug 1009233 - Help on mail account settings for authentication method needs updating. r=IanN
authorrsx11m <rsx11m.pub@gmail.com>
Fri, 23 May 2014 09:22:36 -0500
changeset 8319 f5d0a1112c17fc5dfd3e397a0179e3312121e524
parent 8318 3dd4b790e4bf2b224ec677cef2349bf234876417
child 8320 a82ac777222b90f280540d777ac3f405286f5318
push id1
push useraxel@mozilla.com
push dateTue, 10 Oct 2017 22:14:06 +0000
reviewersIanN
bugs1009233
Bug 1009233 - Help on mail account settings for authentication method needs updating. r=IanN X-Channel-Repo: comm-central X-Channel-Converted-Revision: dc57ef9f10b36c042da3c328fc1ca27de04a025a
suite/chrome/common/help/glossary.xhtml
suite/chrome/common/help/help-glossary.rdf
suite/chrome/common/help/mailnews_account_settings.xhtml
--- a/suite/chrome/common/help/glossary.xhtml
+++ b/suite/chrome/common/help/glossary.xhtml
@@ -35,16 +35,17 @@
 
 <dt id="authentication">authentication</dt><dd>The use of a password,
   certificate, personal identification number (PIN), or other information to
   validate an identity over a computer network. See also
   <a href="#password-based_authentication">password-based authentication</a>,
   <a href="#certificate-based_authentication">certificate-based
   authentication</a>, <a href="#client_authentication">client
   authentication</a>, <a href="#server_authentication">server
+  authentication</a>, <a href="#secure_authentication">secure
   authentication</a>.</dd>
 
 <dt id="bookmark">bookmark</dt><dd>A stored <a href="#web_page">web page</a>
   address (<a href="#url">URL</a>) that you can go to easily by clicking a
   bookmark icon in the <a href="#personal_toolbar">Personal Toolbar</a> or
   choosing the bookmark&apos;s name from the Bookmarks menu.</dd>
 
 <dt id="ca">CA</dt><dd>See <a href="#certificate_authority">certificate
@@ -96,19 +97,19 @@
 
 <dt id="certificate_backup_password">certificate backup password</dt><dd>A
   password that protects a certificate that you are backing up or have
   previously backed up. Certificate Manager asks you to set this password when
   you back up a certificate, and requests it when you attempt to restore a
   certificate that has previously been backed up.</dd>
 
 <dt id="certificate-based_authentication">certificate-based
-  authentication</dt><dd>Verification of identity based on certificates and
-  public-key cryptography. See also
-  <a href="#password-based_authentication">password-based
+  authentication</dt><dd>Verification of identity based on 
+  <a href="#certificate">certificates</a> and public-key cryptography.
+  See also <a href="#password-based_authentication">password-based
   authentication</a>.</dd>
 
 <dt id="certificate_chain">certificate chain</dt><dd>A hierarchical series of
   certificates signed by successive certificate authorities. A CA certificate
   identifies a <a href="#certificate_authority">certificate authority (CA)</a>
   and is used to sign certificates issued by that authority. A CA certificate
   can in turn be signed by the CA certificate of a parent CA and so on up to a
   <a href="#root_ca">root CA</a>.</dd>
@@ -182,16 +183,21 @@
   information about you, such as the contents of your shopping cart. You can set
   your cookie preferences to control how cookies are used and how much
   information you are willing to let websites store on them. See also
   <a href="#third-party_cookie">third-party cookie</a>.</dd>
 
 <dt id="cookie_manager">Cookie Manager</dt><dd>The part of the browser
   that you can use to control <a href="#cookie">cookies</a>.</dd>
 
+<dt id="cram_md5">CRAM-MD5</dt><dd>A
+  <a href="#cryptographic_algorithm">cryptographic algorithm</a> used for
+  <a href="#encrypted_password">password encryption</a> to achieve
+  <a href="#secure_authentication">secure authentication</a>.</dd>
+
 <dt id="crl">CRL (certificate revocation list)</dt><dd>A list of revoked
   certificates that is generated and signed by a
   <a href="#certificate_authority">certificate authority (CA)</a>. You can
   download the latest CRL to your browser or to a server, then check against it
   to make sure that certificates are still valid before permitting their use
   for authentication.</dd>
 
 <dt id="cryptographic_algorithm">cryptographic algorithm</dt><dd>A set of
@@ -243,16 +249,25 @@
   decryption operations. Each pair corresponds to a separate
   <a href="#certificate">certificate</a>. See also
   <a href="#public-key_cryptography">public-key cryptography</a>.</dd>
 
 <dt id="eavesdropping">eavesdropping</dt><dd>Surreptitious interception of
   information sent over a network by an entity for which the information is not
   intended.</dd>
 
+<dt id="encrypted_password">encrypted password</dt><dd>Used for
+  <a href="#password-based_authentication">password-based authentication</a>
+  to achieve <a href="#secure_authentication">secure authentication</a>.
+  The user&apos;s password is encrypted before it is sent to the server
+  (e.g., by methods like <a href="#cram_md5">CRAM-MD5</a>) to prevent that
+  anyone eavesdropping on the connection from seeing it in clear text.  This
+  mechanism is frequently used when no <a href="#secure_connection">secure
+  connection</a> method is available.</dd>
+
 <dt id="encryption">encryption</dt><dd>The process of scrambling information in
   a way that disguises its meaning. For example, encrypted connections between
   computers make it very difficult for third-parties to unscramble, or
   <em>decrypt</em>, information flowing over the connection. Encrypted
   information can be decrypted only by someone who possesses the appropriate
   key. See also <a href="#public-key_cryptography">public-key
   cryptography</a>.</dd>
 
@@ -302,16 +317,19 @@
 
 <dt id="frame">frame</dt><dd>Frames are <a href="#web_page">web pages</a>
   contained inside of an all-encompasssing <q>meta</q> page.</dd>
 
 <dt id="ftp">FTP (File Transfer Protocol)</dt><dd>A
   standard that allows users to transfer files from one computer to another
   over a network. You can use your browser to fetch files using FTP.</dd>
 
+<dt id="gssapi">GSSAPI (Generic Security Services Application Program
+  Interface)</dt><dd>See <a href="#kerberos">Kerberos</a>.</dd>
+
 <dt id="helper_application">helper application</dt><dd>Any application that is
   used to open or view a file downloaded by the browser. A
   <a href="#plugin">plugin</a> is a special kind of helper application that
   installs itself into the Plugins directory of the main browser installation
   directory and can typically be opened within the browser itself (internally).
   Microsoft Word, Adobe Photoshop, and other external applications are
   considered helper applications but not plugins, since they don&apos;t
   install themselves into the browser directory, but can be opened from the
@@ -392,16 +410,24 @@
 
 <dt id="key">key</dt><dd>A large number used by a
   <a href="#cryptographic_algorithm">cryptographic algorithm</a> to encrypt or
   decrypt data. A person&apos;s public key, for example, allows other people to
   encrypt messages to that person. The encrypted messages must be decrypted
   with the corresponding private key. See also
   <a href="#public-key_cryptography">public-key cryptography</a>.</dd>
 
+<dt id="kerberos">Kerberos</dt><dd>A mechanism to use single-signon,
+  <a href="#smart_card">smart cards</a>, or other custom methods to
+  <a href="#authentication">authenticate</a> access without using
+  <a href="#password-based_authentication">passwords</a> for each individual
+  service.  Used mostly in large enterprise/institutional networks where
+  authentication is provided by centralized services like
+  <a href="#ldap">LDAP</a>.</dd>
+
 <dt id="language_pack">language pack</dt><dd>A type of
   <a href="#add-on">add-on</a> that adds a new language to the user interface
   of &brandShortName;.</dd>
 
 <dt id="ldap">LDAP (Lightweight Directory Access Protocol)</dt><dd>A standard
   protocol for accessing directory services, such as corporate address books,
   across multiple platforms. You can set up your browser to access LDAP
   directories from the Address Book. You can also set up Mail &amp; Newsgroups
@@ -451,16 +477,21 @@
   provides one form of nonrepudiation. A
   <a href="#digital_signature">digital signature</a> provides another.</dd>
 
 <dt id="notification_bar">notification bar</dt><dd>A bar that appears at the
   top of the content area to inform you about something that needs your
   attention, e.g. when the Password Manager can save a password for you, a
   popup has been blocked or an additional plugin is required.</dd>
 
+<dt id="ntlm">NTLM (NT LAN Manager)</dt><dd>A protocol for
+  <a href="#authentication">authentication</a> in local networks that is
+  proprietary to Microsoft Windows.  Used mostly in enterprise/institutional
+  networks.</dd>
+
 <dt id="object_signing">object signing</dt><dd>A technology that allows
   software developers to sign Java code, JavaScript scripts, or any kind of
   file, and that allows users to identify the signers and control access by
   signed code to local system resources.</dd>
 
 <dt id="object-signing_certificate">object-signing certificate</dt><dd>A
   certificate whose corresponding private key is used to sign objects such as
   code files. See also <a href="#object_signing">object signing</a>.</dd>
@@ -596,25 +627,31 @@
   users to search for and retrieve specific information from the
   <a href="#world_wide_web">World Wide Web (WWW)</a>. The search engine may
   search the full text of web documents or a list of keywords, or use
   librarians who review web documents and index them manually for retrieval.
   Typically, the user types a word or phrase, also called a query, into a
   search box, and the search engine displays links to relevant web pages.</dd>
 
 <dt id="secure_authentication">secure authentication</dt><dd>A type of
-  <a href="#authentication">authentication</a> which uses a
-  <a href="#secure_connection">secure connection</a> so the communication
-  between client and server is encrypted.</dd>
+  <a href="#authentication">authentication</a> which can be achieved by
+  <a href="#encrypted_password">encryption of the password</a> or by mechanisms
+  like <a href="#kerberos">Kerberos</a> and <a href="#ntlm">NTLM</a>.  Not to
+  be confused with <a href="#secure_connection">secure connection</a>.</dd>
 
-<dt id="secure_connection">secure connection</dt><dd>A connection between a
-  client and a server which uses some type of encryption (usually,
-  <a href="#ssl">SSL</a>) to ensure it can&apos;t be intercepted by
-  third-parties. Most of the time, the server is the one providing the
-  certificate to identify itself.</dd>
+<dt id="secure_connection">secure connection</dt><dd>A connection using
+  <a href="#ssl">SSL</a> or <a href="#tls">TLS</a>.  All communication between
+  your computer and the server is <a href="#encryption">encrypted</a> so that
+  no third party eavesdropping on your connection can read it.  Note that the
+  data is only encrypted during transmission between your client application
+  and the server, after that it is no longer encrypted.  To prove its
+  authenticity to the client, the server needs to identify itself using a
+  <a href="#certificate">certificate</a>.  A bad certificate can indicate
+  an attack on the server or the connection, thus it is important to heed
+  certificate warnings.</dd>
 
 <dt id="security_certificate">security certificate</dt><dd>See
   <a href="#certificate">certificate</a>.</dd>
 
 <dt id="security_device">security device</dt><dd>Hardware or software that
   provides cryptographic services such as encryption and decryption and can
   store certificates and keys. A <a href="#smart_card">smart card</a> is one
   example of a security device implemented in hardware.
@@ -833,15 +870,15 @@
   a web page to define special tags. For more information, see the online W3C
   document
   <a href="http://www.w3.org/XML/">Extensible Markup Language (XML)</a>.</dd>
 
 <dt id="xslt">XSLT (Extensible Stylesheet Language Transformation)</dt><dd>A
   language used to convert an XML document into another XML document or into
   some other format.</dd>
 
-<dt id="xul">XUL (XML User Interface Language)</dt><dd>A XML markup language
+<dt id="xul">XUL (XML User Interface Language)</dt><dd>An XML markup language
   for creating user interfaces in applications.</dd>
 
 </dl>
 
 </body>
 </html>
--- a/suite/chrome/common/help/help-glossary.rdf
+++ b/suite/chrome/common/help/help-glossary.rdf
@@ -29,61 +29,66 @@
         <rdf:li> <rdf:Description nc:name="certificate verification" nc:link="glossary.xhtml#certificate_verification"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="cipher" nc:link="glossary.xhtml#cipher"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="client" nc:link="glossary.xhtml#client"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="client authentication" nc:link="glossary.xhtml#client_authentication"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="client SSL certificate" nc:link="glossary.xhtml#client_ssl_certificate"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Component Bar" nc:link="glossary.xhtml#component_bar"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="cookie" nc:link="glossary.xhtml#cookie"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Cookie Manager" nc:link="glossary.xhtml#cookie_manager"/> </rdf:li>
+        <rdf:li> <rdf:Description nc:name="CRAM-MD5" nc:link="glossary.xhtml#cram_md5"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="CRL" nc:link="glossary.xhtml#crl"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="cryptographic algorithm" nc:link="glossary.xhtml#cryptographic_algorithm"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="cryptography" nc:link="glossary.xhtml#cryptography"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="decryption" nc:link="glossary.xhtml#decryption"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="digital ID" nc:link="glossary.xhtml#digital_id"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="digital signature" nc:link="glossary.xhtml#digital_signature"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="distinguished name (DN)" nc:link="glossary.xhtml#distinguished_name"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Do Not Track" nc:link="glossary.xhtml#do_not_track"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="dual key pairs" nc:link="glossary.xhtml#dual_key_pairs"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="eavesdropping" nc:link="glossary.xhtml#eavesdropping"/> </rdf:li>
+        <rdf:li> <rdf:Description nc:name="encrypted password" nc:link="glossary.xhtml#encrypted_password"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="encryption" nc:link="glossary.xhtml#encryption"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="encryption certificate" nc:link="glossary.xhtml#encryption_certificate"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="encryption key" nc:link="glossary.xhtml#encryption_key"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="extension" nc:link="glossary.xhtml#extension"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="feed" nc:link="glossary.xhtml#feed"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="fingerprint (certificate)" nc:link="glossary.xhtml#fingerprint"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="fingerprinting (browser)" nc:link="glossary.xhtml#fingerprinting"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="FIPS PUBS 140-1" nc:link="glossary.xhtml#fips_pubs_140-1"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="foreign cookie" nc:link="glossary.xhtml#foreign_cookie"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="frame" nc:link="glossary.xhtml#frame"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="FTP" nc:link="glossary.xhtml#ftp"/> </rdf:li>
+        <rdf:li> <rdf:Description nc:name="GSSAPI" nc:link="glossary.xhtml#gssapi"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="helper application" nc:link="glossary.xhtml#helper_application"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="home page" nc:link="glossary.xhtml#home_page"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="HTML" nc:link="glossary.xhtml#html"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="HTTP" nc:link="glossary.xhtml#http"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="HTTPS" nc:link="glossary.xhtml#https"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="IMAP" nc:link="glossary.xhtml#imap"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="implicit consent" nc:link="glossary.xhtml#implicit_consent"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Internet" nc:link="glossary.xhtml#internet"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="IP address" nc:link="glossary.xhtml#ip_address"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="IRC" nc:link="glossary.xhtml#irc"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="ISP" nc:link="glossary.xhtml#isp"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Java" nc:link="glossary.xhtml#java"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="JavaScript" nc:link="glossary.xhtml#javascript"/> </rdf:li>
+        <rdf:li> <rdf:Description nc:name="Kerberos" nc:link="glossary.xhtml#kerberos"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="key" nc:link="glossary.xhtml#key"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="LDAP" nc:link="glossary.xhtml#ldap"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="language pack" nc:link="glossary.xhtml#language_pack"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Location Bar" nc:link="glossary.xhtml#location_bar"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Malware" nc:link="glossary.xhtml#malware"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="master key" nc:link="glossary.xhtml#master_key"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="master password" nc:link="glossary.xhtml#master_password"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="misrepresentation" nc:link="glossary.xhtml#misrepresentation"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Navigation Toolbar" nc:link="glossary.xhtml#navigation_toolbar"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="nonrepudiation" nc:link="glossary.xhtml#nonrepudiation"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="notification bar" nc:link="glossary.xhtml#notification_bar"/> </rdf:li>
+        <rdf:li> <rdf:Description nc:name="NTLM" nc:link="glossary.xhtml#ntlm"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="object signing" nc:link="glossary.xhtml#object_signing"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="object-signing certificate" nc:link="glossary.xhtml#object-signing_certificate"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="OCSP" nc:link="glossary.xhtml#ocsp"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="OPML" nc:link="glossary.xhtml#opml"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="password-based authentication" nc:link="glossary.xhtml#password-based_authentication"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Password Manager" nc:link="glossary.xhtml#password_manager"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="Personal Toolbar" nc:link="glossary.xhtml#personal_toolbar"/> </rdf:li>
         <rdf:li> <rdf:Description nc:name="phishing" nc:link="glossary.xhtml#phishing"/> </rdf:li>
--- a/suite/chrome/common/help/mailnews_account_settings.xhtml
+++ b/suite/chrome/common/help/mailnews_account_settings.xhtml
@@ -205,30 +205,62 @@
   <li><strong>Port</strong>: Unless otherwise instructed to do so by your
     service provider or system administrator, leave this setting
     unchanged.</li>
   <li><strong>Connection security</strong>: Choose one of the available options
     to establish a <a href="glossary.xhtml#secure_connection">secure
     connection</a> to your incoming IMAP server. You can choose one of these:
     <ul>
       <li><strong>None</strong>: &brandShortName; will use a plain connection,
-        without encryption at all. You should choose this <strong>only</strong>
-        if your incoming server doesn&apos;t support any type of security.</li>
+        without encryption at all. You should choose this <em>only</em> if your
+        incoming server allows password encryption or doesn&apos;t support any
+        type of security.</li>
       <li><strong>STARTTLS</strong>: Require an encrypted connection, use the
         <a href="glossary.xhtml#starttls">STARTTLS</a> method. This mechanism
         will usually run on the standard IMAP port 143.</li>
       <li><strong>SSL/TLS</strong>: Require an encrypted connection, use the
         IMAP-over-SSL method. The default port for this is 993.
       </li>
     </ul>
   </li>
-  <li><strong>Use secure authentication</strong>: Choose this setting if you
-    want to use secure mechanisms for logging in like CRAM-MD5. If you are
-    unsure if your service supports this, contact your service provider or
-    system administrator.</li>
+  <li><strong>Authentication method</strong>: Choose one of the available
+    options to use <a href="glossary.xhtml#secure_authentication">secure
+    authentication</a> with your incoming IMAP server. You can choose one of
+    these:
+    <ul>
+      <li><strong>Normal password</strong>: &brandShortName; will send your
+        password as clear text, without encryption at all. This option is
+        safe when SSL/TLS or STARTTLS is used.</li>
+      <li><strong>Password, transmitted insecurely</strong>: Same as
+        <q>Normal password</q> but only available when a connection security
+        of <q>None</q> is selected and hence is unsafe. Do <em>not</em> choose
+        this unless your incoming server doesn&apos;t support any type of
+        security at all.</li>
+      <li><strong>Encrypted password</strong>: Require the encryption of the
+        user&apos;s credentials as supported by the server, such as
+        <a href="glossary.xhtml#cram_md5">CRAM-MD5</a>. This option is safe
+        to use even if the connection security setting is <q>None</q>, but
+        only the password would be secured in this way, not any content.</li>
+      <li><strong>Kerberos / GSSAPI</strong>: Choose this option if your
+        computer is set up for secure authentication using
+        <a href="glossary.xhtml#kerberos">Kerberos</a>. You may need to
+        acquire a Kerberos ticket by using a separate program, or it may be
+        assigned to you when logging into your computer.</li>
+      <li><strong>NTLM</strong>: Choose this option if your computer is set up
+        for secure authentication using an <a href="glossary.xhtml#ntlm">NT
+        LAN Manager</a>. In general, Kerberos should be preferred over NTLM as
+        it provides for a higher level of security.</li>
+      <li><strong>TLS Certificate</strong>: Choose this option to use
+        <a href="glossary.xhtml#certificate-based_authentication">certificate-based
+        authentication</a> on a connection with SSL/TLS or STARTTLS enabled,
+        without the need to provide any password for authentication.</li>
+    </ul>
+    If you are unsure which options are supported by your server, contact your
+    service provider or system administrator.
+  </li>
   <li><strong>Check for new messages at startup</strong>: Choose this setting
     if you want Mail &amp; Newsgroups to automatically check this account for
     new messages whenever you start Mail &amp; Newsgroups.</li>
   <li><strong>Check for new messages every [__] minutes</strong>: Choose this
     setting to automatically check for new messages, and then specify the
     number of minutes between mail checks. If you do not select this setting,
     you can check for new messages at any time by clicking Get Msgs in the Mail
     window.</li>
@@ -310,30 +342,62 @@
   <li><strong>Port</strong>: Unless otherwise instructed to do so by your
     service provider or system administrator, leave this setting
     unchanged.</li>
   <li><strong>Connection security</strong>: Choose one of the available options
     to establish a <a href="glossary.xhtml#secure_connection">secure
     connection</a> to your incoming POP server. You can choose one of these:
     <ul>
       <li><strong>None</strong>: &brandShortName; will use a plain connection,
-        without encryption at all. You should choose this <strong>only</strong>
-        if your incoming server doesn&apos;t support any type of security.</li>
+        without encryption at all. You should choose this <em>only</em> if your
+        incoming server allows password encryption or doesn&apos;t support any
+        type of security.</li>
       <li><strong>STARTTLS</strong>: Require an encrypted connection, use the
         <a href="glossary.xhtml#starttls">STARTTLS</a> method. This mechanism
         will usually run on the standard POP port 110.</li>
       <li><strong>SSL/TLS</strong>: Require an encrypted connection, use the
         POP-over-SSL method. The default port for this is 995.
       </li>
     </ul>
   </li>
-  <li><strong>Use secure authentication</strong>: Choose this setting if you
-    want to use secure mechanisms for logging in like CRAM-MD5 and APOP. If you
-    are unsure if your server supports this, contact your service provider or
-    system administrator.</li>
+  <li><strong>Authentication method</strong>: Choose one of the available
+    options to use <a href="glossary.xhtml#secure_authentication">secure
+    authentication</a> with your incoming POP server. You can choose one of
+    these:
+    <ul>
+      <li><strong>Normal password</strong>: &brandShortName; will send your
+        password as clear text, without encryption at all. This option is
+        safe when SSL/TLS or STARTTLS is used.</li>
+      <li><strong>Password, transmitted insecurely</strong>: Same as
+        <q>Normal password</q> but only available when a connection security
+        of <q>None</q> is selected and hence is unsafe. Do <em>not</em> choose
+        this unless your incoming server doesn&apos;t support any type of
+        security at all.</li>
+      <li><strong>Encrypted password</strong>: Require the encryption of the
+        user&apos;s credentials as supported by the server, such as
+        <a href="glossary.xhtml#cram_md5">CRAM-MD5</a> or APOP. This option is
+        safe to use even if the connection security setting is <q>None</q>, but
+        only the password would be secured in this way, not any content.</li>
+      <li><strong>Kerberos / GSSAPI</strong>: Choose this option if your
+        computer is set up for secure authentication using
+        <a href="glossary.xhtml#kerberos">Kerberos</a>. You may need to
+        acquire a Kerberos ticket by using a separate program, or it may be
+        assigned to you when logging into your computer.</li>
+      <li><strong>NTLM</strong>: Choose this option if your computer is set up
+        for secure authentication using an <a href="glossary.xhtml#ntlm">NT
+        LAN Manager</a>. In general, Kerberos should be preferred over NTLM as
+        it provides for a higher level of security.</li>
+      <li><strong>TLS Certificate</strong>: Choose this option to use
+        <a href="glossary.xhtml#certificate-based_authentication">certificate-based
+        authentication</a> on a connection with SSL/TLS or STARTTLS enabled,
+        without the need to provide any password for authentication.</li>
+    </ul>
+    If you are unsure which options are supported by your server, contact your
+    service provider or system administrator.
+  </li>
   <li><strong>Check for new messages at startup</strong>: Choose this setting
     if you want Mail &amp; Newsgroups to automatically check this account for
     new messages whenever you start Mail &amp; Newsgroups. For POP accounts,
     Mail &amp; Newsgroups doesn&apos;t download the new messages until you
     click Get Msgs on the Mail toolbar.</li>
   <li><strong>Check for new messages every [__] minutes</strong>: Choose this
     setting to automatically check for new messages, and then specify the
     number of minutes between mail checks. If you do not select this setting,
@@ -388,19 +452,19 @@
     when you created this account.</li>
   <li><strong>Server Name</strong>: The server name that you specified when you
     created this account. If you are having problems receiving messages from
     this account, verify with your service provider or system administrator
     that the server name you entered is correct.</li>
   <li><strong>Port</strong>: Unless otherwise instructed to do so by your
     service provider or system administrator, leave this setting
     unchanged.</li>
-  <li><strong>Connection security</strong>: Choose &quot;SSL/TLS&quot; if your
+  <li><strong>Connection security</strong>: Choose <q>SSL/TLS</q> if your
     news server is configured to send and receive encrypted messages, or
-    &quot;None&quot; if it doesn&apos;t support it. If you are unsure, contact
+    <q>None</q> if it doesn&apos;t support it. If you are unsure, contact
     your service provider or system administrator.</li>
   <li><strong>Check for new messages at startup</strong>: Choose this setting
     to automatically check for new messages when you first open the Mail &amp;
     Newsgroup component of &brandShortName;.</li>
   <li><strong>Check for new messages every [__] minutes</strong>: Choose this
     setting to automatically check for new messages, and then specify the
     number of minutes between mail checks. If you do not select this setting,
     you can check for new messages at any time by clicking Get Msgs in the Mail
@@ -1082,41 +1146,72 @@
   <li><strong>Description</strong>: A short freetext description of that server
     configuration. This will show up as first part in the server list.</li>
   <li><strong>Server name</strong>: The SMTP server that will deliver your
     outgoing mail. To use a different SMTP server, change this field.</li>
   <li><strong>Port</strong>: The port on which the SMTP server will be
     connected. By default it holds the standard port for the specified
     encryption. Change it if the mail server is listening for connections
     on a non-standard port.</li>
-  <li><strong>Use name and password</strong>: If your SMTP server requires
-    authentication to send mail, select this option and enter your user name.
-    The first time you send mail, you will be prompted for your password. At
-    that time you can instruct &brandShortName; to save your password for
-    future sessions.</li>
-  <li><strong>Use secure authentication</strong>: Choose this setting if you
-    want to use secure mechanisms for logging in like CRAM-MD5. If you are
-    unsure if your service supports this, contact your service provider or
-    system administrator.</li>
-  <li><strong>Use secure connection</strong>: There are two methods for
-    establishing a <a href="glossary.xhtml#secure_connection">secure
-    connection</a> to your outgoing server. Pick the one your server supports
-    (if you make a choice for which your server is not configured, you will
-    get an error message when sending mail).
+  <li><strong>Connection security</strong>: Choose one of the available options
+    to establish a <a href="glossary.xhtml#secure_connection">secure
+    connection</a> to your outgoing SMTP server. You can choose one of these:
     <ul>
-      <li><strong>STARTTLS, if available</strong>: &brandShortName; will try to
-        negotiate encryption using the
-        <a href="glossary.xhtml#starttls">STARTTLS</a> method. If the server
-        doesn&apos;t support it, an unencrypted connection is used.</li>
+      <li><strong>None</strong>: &brandShortName; will use a plain connection,
+        without encryption at all. You should choose this <em>only</em> if your
+        outgoing server allows password encryption, doesn&apos;t support any
+        type of security at all, or if no authentication is required to send
+        messages.</li>
       <li><strong>STARTTLS</strong>: Require an encrypted connection, use the
         <a href="glossary.xhtml#starttls">STARTTLS</a> method. This mechanism
-        will usually run on the standard SMTP port 25.</li>
+        will usually run on the standard SMTP-submission port 587 or the
+        generic port 25.</li>
       <li><strong>SSL/TLS</strong>: Require an encrypted connection, use the
         SMTP-over-SSL (also known as SMTPS) method. The default port for this
         is 465.</li>
     </ul>
+    If you make a choice for which your server is not configured, you will
+    get an error message when sending mail.
   </li>
+  <li><strong>Authentication method</strong>: Choose one of the available
+    options to use <a href="glossary.xhtml#secure_authentication">secure
+    authentication</a> with your incoming SMTP server. You can choose one of
+    these:
+    <ul>
+      <li><strong>No authentication</strong>: Neither a user name nor a
+        password will be sent to the server. This option may be chosen if
+        the SMTP server is in a local network or if other means are provided
+        to authenticate the user, such as <q>POP before SMTP</q>.</li>
+      <li><strong>Normal password</strong>: &brandShortName; will send your
+        password as clear text, without encryption at all. This option is
+        safe when SSL/TLS or STARTTLS is used.</li>
+      <li><strong>Password, transmitted insecurely</strong>: Same as
+        <q>Normal password</q> but only available when a connection security
+        of <q>None</q> is selected and hence is unsafe. Do <em>not</em> choose
+        this unless your outgoing server doesn&apos;t support any type of
+        security at all.</li>
+      <li><strong>Encrypted password</strong>: Require the encryption of the
+        user&apos;s credentials as supported by the server, such as
+        <a href="glossary.xhtml#cram_md5">CRAM-MD5</a>. This option is safe
+        to use even if the connection security setting is <q>None</q>, but
+        only the password would be secured in this way, not any content.</li>
+      <li><strong>Kerberos / GSSAPI</strong>: Choose this option if your
+        computer is set up for secure authentication using
+        <a href="glossary.xhtml#kerberos">Kerberos</a>. You may need to
+        acquire a Kerberos ticket by using a separate program, or it may be
+        assigned to you when logging into your computer.</li>
+      <li><strong>NTLM</strong>: Choose this option if your computer is set up
+        for secure authentication using an <a href="glossary.xhtml#ntlm">NT
+        LAN Manager</a>. In general, Kerberos should be preferred over NTLM as
+        it provides for a higher level of security.</li>
+    </ul>
+    If you are unsure which options are supported by your server, contact your
+    service provider or system administrator.
+  </li>
+  <li><strong>User Name</strong>: The user name that you specified when you
+    created this account. Not available if <q>No authentication</q> is
+    selected.</li>
 </ul>
 
 <p>[<a href="#mail_and_newsgroups_account_settings">Return to beginning of
   section</a>]</p>
 </body>
 </html>