Hi, Charlie, On Wed, 26 Mar 2003, Charlie Brady wrote: >On Wed, 26 Mar 2003, Andreas Aardal Hanssen wrote: >> Agreed that this is a great way to handle port 993 SSL, but how would you >> use this to solve STARTTLS? >What I've showed you is exactly how to solve the STARTTLS problem (port >993 is so easy I didn't mention it).
Sorry about that. Yes, I see that it uses a very safe method of tunneling SSL and TLS. However, it is a patch only, to one tunnel. It would be great to use it, but it is queer if Binc is to require a patched tunnel in order to operator using SSL or TLS. One approach would be for us to use all the stuff from Scott's approach natively in Binc. After checkpassword has been called and the tunnel has been set up between parent and child, bincimap-up can setuid/gid to an unprivileged user, drop all its unneeded privileges and enter a chroot jail. That would be a compromise. Guess the safest solution is to rely on software that other people has written already, but I don't know if people will use this service if it requires a special tcp wrapper and with a special patch applied. What do you think? Andy :-) -- Andreas Aardal Hanssen | http://www.andreas.hanssen.name/gpg Author of Binc IMAP | Nil desperandum
