On Wed, 18 Feb 2004, Jeremy Kitchen wrote: >On Wed, 2004-02-18 at 01:42, Andreas Aardal Hanssen wrote: >> One reason is that Binc IMAP supports STARTTLS, which allows admins to >> provide both plain text and SSL enabled IMAP over port 143 (single port, >> single firewall hole), and ucspi-ssl doesn't support this. >true, although starttls I'm not really worried about. I assume that >binc running with --ssl as in the /opt/bincimap/var/service/imaps/run >script wraps the entire connection after it is created, no?
True. >> Another reason is that Binc IMAP doesn't depend on anything other than the >> OpenSSL libraries, which makes it easier to install and maintain. Given >> the SSL certificate and private key, which you need anyway, it's just a >> single tcp-wrapped IMAP server that gives you what you need. >quick question there.. are the ssl libraries statically linked or loaded >as shared objects? I don't want to have to recompile binc (takes >FOREVER :P) every time I update ssl, which to be honest, is pretty rare, >but I'm sure it will happen at some point. If you configure with --enable-static, you'll have to recompile Binc every time. If not, then Binc will just use the new libraries after you upgraded them. >I was mainly wondering for performance/reliability issues. considering >it's imap, it can potentially be a long running daemon, and I'm always >concerned about the stability/reliability of such long running daemons >:) Binc IMAP isn't a long running daemon like sendmail and Courier-IMAPish; it's executed only when a client connects, and closes when a client disconnects. This means there can only be problems during the time in which a client is connected, and my observations have shown that most clients stay connected less than one day; almost all have disconnected once during 5 days (although some solid numbers here would be very interesting for those with large volumes). I agree with you, though, in that Binc shouldn't use SSL unless it's necessary. So for admins that prefer running IMAP only on port 993 (reasonable), it could make sense to compile --without-ssl and only use an SSL enabled tcp wrapper instead. As you say, the only downside of doing this is not being able to use recordio so easily, and the configuring of a seperate service is a bother for many admins. >Thanks for the input though. I think I'll just make it consistent and >use ucspi-ssl for wrapping the services (I'm already using it to wrap >smtp and pop3) The documentation could refect this option; do you care to add your run script and some clues for new users, to the lifewithbincimap.org wiki? Andy :-) -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | "It is better not to do something http://www.bincimap.org/ | than to do it poorly."
