James Ebright wrote: > I believe that sendmail uses Diffie-Hellman key exchange and the MTA > only keeps the master_secret in memory for a short period of time and > must be redetermined during every conversation, so technically yes, I > think a middle MTA could see it, but it would be alot more work than > I would be willing to put in to see it in real time. I suppose you > could modify the source to store unencrypted local copys and mirror > that in real time.... but I can think of other easier ways to get > copies of your outgoing email if I really wanted them (like say for a > court ordered subpeona).
Hmm. I think you're still a little confused. TLS is really a generic method for encrypting communication between two arbitrary systems. It does NOT specify what's done with the data at either end. (Think HTTPS, or POP3S, or IMAPS- technically, AIUI, all use TLS.) What it prevents (or at least significantly guards against) is capture of the TCP/IP packet stream (even at either system's local kernel level) by a third party. The sending system and receiving system are essentially running standard SMTP otherwise; and any of the standard methods of pulling data out of the MTA at either end should work just fine. It's important not so much to prevent capture of the message data - although it helps to some degree there - but with preventing capture of somewhat more sensitive data such as SMTP AUTH tokens of several flavours. It's also of rather limited use as an authenication system in and of itself with the right certificates. > If the data is that sensative then use a third party encryption on > the message itself or dont send it via email. Yep. *Really* high-security data shouldn't be on a network that's Internet-connected, period, IMO; and if you need to transfer data you stuff it on a USB key or hard drive and take the physical device from network A to network B. (If you're really paranoid, you destroy the physical transport device once you've pulled the data.) For most data that should be secured, but which is MUCH more conventient to handle online? PGP. (Or GPG, or whatever PGP-equivalent you feel like using.) -kgd -- Get your mouse off of there! You don't know where that email has been! _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
