Brian D. Winters wrote:
>It works exactly the same as SSL and IMAP. You can encapsulate any
>TCP connection in an SSL tunnel. This includes IMAP, POP3, telnet, or
>even ssh or another SSL session, although the last two are pretty
>pointless.
>
>Some servers have built in support for SSL, or you can tack it on
>yourself. I use a program called sslwrap in conjuction with
>qmail-pop3. I believe another freely available program is called
>stunnel(?). When proxying like this typically you restrict
>connections to port 110 to localhost, and then sslwrap (or whatever)
>proxies between an open port 995 (the port assigned for pop3s) and the
>protected port 110.
This is no longer the preferred way to do it, see RFC 2595 (not yet a
standard, but it's on its way). This RFC defines a STLS POP3 command which
initiates TLS (essentially a new and fancy name for SSL, TLSv1 is almost
identical to SSLv3) communication. A similar command (STARTTLS) is defined
for IMAP. The definition for accomplishing the same thing over SMTP (using
the STARTTLS command) is provided in RFC 2487.
qmail can be made to support TLS in accordance with RFC 2487 by applying a
patch at http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch . To my
knowledge, at this time, no such patch can be applied to add RFC 2595
support to qmail-pop3d. Such a project would be harder to accomplish
because of the more modular nature of qmail-pop3d: qmail-popup and
qmail-pop3d both interact with the client over the network. This is
something I've been thinking about, and if I ever get a chance, something
I'd like to try to attack.
Mark
--
Do not reply directly to this e-mail address
--
Mark Mentovai
UNIX Engineer
Gillette Global Network
