On Thu, 27 Mar 2003, Andreas Aardal Hanssen wrote: > On Wed, 26 Mar 2003, Charlie Brady wrote: > >On Wed, 26 Mar 2003, Andreas Aardal Hanssen wrote: > >> Agreed that this is a great way to handle port 993 SSL, but how would you > >> use this to solve STARTTLS? > >What I've showed you is exactly how to solve the STARTTLS problem (port > >993 is so easy I didn't mention it). > > Sorry about that. Yes, I see that it uses a very safe method of tunneling > SSL and TLS. However, it is a patch only, to one tunnel. It would be great > to use it, but it is queer if Binc is to require a patched tunnel in order > to operator using SSL or TLS.
It's GPL code. Modify it and repackage as you choose. > One approach would be for us to use all the stuff from Scott's approach > natively in Binc. After checkpassword has been called and the tunnel has > been set up between parent and child, bincimap-up can setuid/gid to an > unprivileged user, drop all its unneeded privileges and enter a chroot > jail. That would be a compromise. Well, if you feel the need to reimplement code which already works... > Guess the safest solution is to rely on software that other people has > written already, but I don't know if people will use this service if it > requires a special tcp wrapper and with a special patch applied. > > What do you think? What I think doesn't matter - I'm got something that works for me :-) But see below ... > I don't know if people will use this service if it > requires a special tcp wrapper and with a special patch applied. I'm not sure what you mean by "a special tcp wrapper". If you mean tcpserver from daemontools, then many people already (very) happily use that software, but many people also don't. tcpserver is not necessary, one could use *inetd instead. Yes, doing it this way requires a patched stunnel. Many people would see that as a problem. You could easily work around it by bundling the stunnel code, and calling the resultant binary "binc-tlsproxy" - or "bincimap-up". If you were to do that, you would probably make various modifications to make the command line much simpler. -- Charlie
