|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Open-Relay
Subject: Re: Open-Relay
From: Russ Allbery (rra
stanford.edu)
Date: Sun Jan 02 2000 - 19:54:40 CST
- Next message: erekose: "Re: Open-Relay"
- Previous message: Wietse Venema: "Re: Open-Relay"
- Next in thread: Ken: "Re: Open-Relay"
- Next in thread: erekose: "Re: Open-Relay"
- Maybe reply: Russ Allbery: "Re: Open-Relay"
- Reply: Ken: "Re: Open-Relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Wietse Venema <wietseporcupine.org> writes:
> Alex Miller:
>> Is there an encrypted method to log into pop, smtp, and imap so that
>> villians with packet sniffers can't borrow legitimate users passwords?
>> Can mail software use them?
> See below for a write-up from the linux-security mailing list.
I'm very surprised that in that write-up there doesn't appear to be a
single mention of SASL. RFC 2222 specifies the SASL mechanism, which is a
pluggable authentication mechanism that can be used as part of virtually
any protocol; it even has examples in the RFC for how to use it with IMAP.
The Andrew II Cyrus Mail group at CMU maintains a SASL library that you
can obtain from ftp.andrew.cmu.edu in /pub/cyrus-mail.
SSL is nice for what it does, but it only solves the transport security
problem. The user still has to authenticate with a password. SASL is a
more general solution that allows other forms of authentication such as
Kerberos service tickets to be used instead. On the other side, SASL does
not solve the transport security problem, being solely an authentication
mechanism, so to encrypt people's e-mail on the wire you still want to use
a mechanism such as ssh or SSL.
(Currently, however, I consider encrypting e-mail at the transport level
to be fairly pointless. For e-mail that must be private,
application-level protection such as PGP encryption is a much better route
to take.)
I've done a proof of concept implementation of an IMAP proxy that uses
SASL to negotiate Kerberos V4 authentication, based on some other work
here, and it's quite easy to work with (all the headaches in that code
came from the IMAP wire protocol itself, which I strongly dislike). I
believe the Cyrus IMAP server (found at the same site mentioned above)
contains full SASL support. I know that client-side support is present in
at least the latest versions of Eudora (although with IMAP it's known to
have a few bugs).
There are far more clients that speak SSL than that speak SASL at present,
but unfortunately SSL alone is rather useless to those of us who use
Kerberos. There's nothing preventing one from using SASL *inside* SSL,
though, and there are benefits to doing so since that would let you use
Kerberos tickets and other alternative authentication mechanisms.
-- Russ Allbery (rra
- Next message: erekose: "Re: Open-Relay"
- Previous message: Wietse Venema: "Re: Open-Relay"
- Next in thread: Ken: "Re: Open-Relay"
- Next in thread: erekose: "Re: Open-Relay"
- Maybe reply: Russ Allbery: "Re: Open-Relay"
- Reply: Ken: "Re: Open-Relay"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Sun Jan 02 2000 - 19:55:16 CST