OK, I've found the info on SSL support at http://www.inter7.com/courierimap/INSTALL.html. I've confirmed that I already have SSL support included and the imapd-ssl deamon (as well as popd-ssl) are started at boot time. I've also confirmed the existence of the self generated cert.
To test, I tried logging into imap with a known (previously working) user. As expected, it generated an error. My mail client (Eudora Windows) advised my that the cert was untrusted and that the domain didn't match the server (which is true; it's a virtual domain) and that I could add it to my list of trusted certs. I did. Trying again, Eudora now just fails to log in. It simply says "operation failed:". Reading my maillog, there is the entry: imapd: Connection, ip=[::ffff:10.1.18.64] imapd: starttls: accept: error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000) Which is undecipherable to me (pun intended). I have been using MySQL for authentication, and there is no evidence of a query in the logs. I assume that this is where the problem is; that SSL authenticates against actual unix users? Is this true? I really didn't want to have user accounts for all of the email accounts. Also, just to make sure I understand the methodology of allowing pop for everyone but imap for some, am I going to just run imapd-ssl, and not imapd, and popd but not popd-ssl? Rob >Hi > >bronto wrote the following at 18:35 29.05.2002: >>>Hi Rob >>> >>>Security by obscurity has never been a good solution. You might >>>want to look at a certificate based authentication scheme with >>>TLS/SSL which IMHO is a lot safer. >> >>IMAP vs. POP isn't really a true security issue in this instance. >>It's more a matter of support; I want to allow ourselves - within >>the company - to use IMAP, but not clients, unless they're >>'special'. My idea was that by hiding it, the users wouldn't know >>it was there. Unless they are unusually sophisticated, in which >>case we I don't care. > >Exactly, why not use certificates for everyone who is allowed to >connect to IMAP anybody else remains locked out, even if they are >sophisticated. > >regards > >Erich Titl > >THINK >P�ntenstrasse 39 >8143 Stallikon >mailto:[EMAIL PROTECTED] >PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 -- _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
