On Fri, Oct 03, 2003 at 03:20:54PM -0700, Lisa Bogue wrote: > Thanks Mark- > > It looks like you are correct. It's a little troublesome in > that the webmail advertises it's ability to use secure > connections and I had configured the conf file to use secure > connections. Perhaps the new version will get it right.
Perhaps it never was wrong? IF ALL access to the mail goes over 'https:...' and is so encrypted, and the connection between 'webmail' and 'imap' is ABSOLUTELY ONLY on the 'localhost', you would not really need to encrypt the imap-protocol between apache and uw_imap on the localhost. Then you only have to make sure not to allow access to the unencrypted imap from the normal network interface. I did that once by starting imapd with bernstein's tcptools (binding only to localhost) and once by using the tcpwrappers in imapd to drop every connection not coming from localhost. If somebody 'sniff'es on the localhost, everything's lost anyway :-) Stucki (postmaster at math/inf/mi.fu-berlin.de)
