Re: [vchkpw] Re: SMTP Auth HOWTO?
Hello Peter, Saturday, May 22, 2004, 6:34:03 PM, you wrote: PP Hello List, PP On Friday, May 21, 2004 at 5:21:36 PM [EMAIL PROTECTED] wrote (at PP least in part): In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. PP [...] This is only true for SMTP Authentication of type plain and login. With CRAM-MD5 its quite save. PP [...] Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. PP Well, as you are this enlightened you'll for sure be able to tell me PP the difference to POP authentication than, aren't you? PP I don't talk about the different protocol; but in my limited PP (inherited from my ancestors, which, as you stated, /pretended/ to be PP the most bright) mind and with a lot of ignorance I thought POP3 sends PP my username and pass as well. Using vpopmail for POP3 server the PP username will most the time be my e-mail-address; exactly the same you PP say it's insecure to send. PP But I'm pretty sure you'll be able to tell me where my mistake is PP located, because POP-b4-SMTP is, as you claimed yourself (see above), PP MUCH MORE secure than SMTP-AUTH. More, Your mail is sent in plaintext. PP Why do you mix authentication method and connection security? It's PP two VERY different layers in communication model. PP The one is layer 3/4, the other is layer 7 in OSI model. PP There is NOTHING you can mix about them, there is NOTHING you can PP compare them on. It's like comparing apples and plants. The plant PP MIGHT be an apple tree, but you simply can't tell. PP So please stop whining, write a SMTP-over-SSL-HOWTO and be happy. I prefer encrypted streams, PP You're free to do. But what's the relation to a SMTP-AUTH problem? Before You make comments, first read the previous post. I am talking about TLS, smtps adn You are talking about pop3, complete out of the road. When I see word like 'enligtment' and I some sarcasm, seems You are German either, see my previous comment. Stop Your sarcasm, and rebuild first Your country and mentality. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re: [vchkpw] Re: SMTP Auth HOWTO?
Hello Peter, Saturday, May 22, 2004, 9:03:21 PM, you wrote: PP Hello List, PP On Saturday, May 22, 2004 at 8:06:41 PM [EMAIL PROTECTED] wrote (at PP least in part): PP [full quote snipped] Before You make comments, first read the previous post. PP Well, ok. *erm* I just recognize: already done. I am talking about TLS, smtps PP You are. In fact you are. PP But maybe I just have to repeat my question, maybe you did not PP recognize it, because there was too much confusing text around it: PP Why do you mix authentication method and connection security? adn You are talking about pop3, complete out of the road. PP No. Now I'm pretty sure the whole mass of text confused you. I told PP you, SMTP-AUTH sends the e-mail-address and password as well as PP POP3-AUTH does. This was related to your comment (I'm allowed to quote PP your comment in mid:[EMAIL PROTECTED]): PP ,- PP | In the OLD days, people were happy with SMTP-Auth. I consider it LESS PP | security as SMTP after POP, PP `- PP You YOU started comparing SMTP-AUTH to other, POP3-invocating, PP authentication / relay-allowing, methods. PP So IF POP3 is out of the road, it is only YOU who brought it into PP this thread. When I see word like 'enligtment' and I some sarcasm, seems You are German either, PP You're so ... so ... amusing. You need the word enlightment (which PP I did not even write; I wrote you're enlightened) and some sarcasm PP for recognizing a fact, which can easily be obtained from the senders PP address? You ARE funny. see my previous comment. PP The one in mid:[EMAIL PROTECTED]? I saw. And I had PP to laugh out loudly about such a simple minded attitude. Stop Your sarcasm, PP Why? Who are you to tell me stopping sarcasm? What makes you better PP than anybody else? What makes you assume my ancestors gave me that PP beautiful gift of sarcasm? What makes you sure you can even think PP about any comparison between times of WWI and WWII and my behavior PP just right now? What makes you French existence better than mine? and rebuild first Your country PP I won't. There're some million people in this country, I don't see a PP single reason why I should rebuild it. PP - First: I don't see a necessity to /rebuild/ it. Some (partly major) PP changes might be suitable, but a complete rebuild is far too much. PP - Second: I'm personally am much to less of a being for having the PP ability to rebuild the whole country. PP - Third: even if I would start, there are s many (mostly PP politicians, nevertheless enough commercial leaders) people guiding PP this country into it's current misery. My work would not stop this. PP There are some other reasons, but this would become too much OT. But PP I'm quite sure you know what you're talking about. At least it's just PP the reality that's far behind your statements. and mentality. PP ??? You're is better? Your PP Q: I don't get SMTP-AUTH to work. Please help PP A: Use SSL! PP way of participating and helping others, your You're sarcastic, PP you're a f*g German! You're behaving like your ancestors 1900-1945! PP [which implies I'm a either a Caesars fellow or a national socialist; PP and you don't even now me enough for being at least 1% sure about this PP facts] is a better mentality? PP C'mon, guy. You don't want to tell me, you're the better human PP being? You don't really want to do EXACTLY what you blame me to do: PP [pretend] to be the most bright race??? PP You don't really want to tell me (us) we Germans are (still? again?) PP the bad, ugly, fascistic people and it's the French that'll help the PP world out of the misery, because of their perfect mind set, given by PP place of birth and live??? If you really do, you're much poorer than PP I thought and you don't even deserve being read on this list. PP P.S.: If you feel the need to reply: please try trimming your quotes PP to the relevant parts. It's is not necessary to full quote and PP increase list traffic above the unavoidable level. I don't even ask PP for slightly reducing your signature; 18 lines is quite a lot. I didn't, sometimes people think what You mean, and one word brings another. I started about smtp ssl and the improuvements abouve smtp-auth, and at some moment others read half words and start a to answer in terms of encryption. if You append some Germans, who start to flame with words like quote Erwin Hoffman : 'You are joking, troll.' quote Peter Palmreuther : 'as you are this enlightened' quote Paul Theodoropoulos [EMAIL PROTECTED] : '... this troll..' Well You known You have to do with egotrippers, people You don't have the maturity to do a nice discussion about the topic. The only professional answer in this case was from some other people, defently people who are working for major companies, who don't need their ego to defend themselves. I was helping a guy out here, i don't need an appended answers from people
Re[2]: [vchkpw] Re: SMTP Auth HOWTO?
Hello X-Istence, Saturday, May 22, 2004, 11:06:33 PM, you wrote: XI -BEGIN PGP SIGNED MESSAGE- XI Hash: SHA1 XI Your first message, which started this flamewar. snip Roy, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. XI Well, considering you send your entire email over the line to get access XI to pop, this claim is not true. Just thought id bring this up, as XI everywhere else you are suggesting that it is not true that you said that. XI Hell, pop3-ssl would be the same as smtp-ssl both would allow secure XI authentication. XI SMTP after POP is a pain, and it doesnt help against these so called man XI in the middle attacks. Unless off course you would also provide a patch XI to make it pop3-ssl, in which cause the next thing you say would be a XI better solution. I suggest You use: SHUPP's version with netqmail like : fetch http://www.qmail.org/netqmail-1.05.tar.gz tar xzvf netqmail-1.05.tar.gz.tar cd netqmail-1.05 ./collate.sh # patch with Shupp's TLS and SMTP-Auth fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch patch ./netqmail-1.05-tls-smtpauth-20040207.patch XI So now that we have smtp-ssl, or smtps, how is SMTP after POP still more XI secure? Why not just start an SSL connection and then auth with SMTP? I XI dont see a difference at all. You brough POP in for no apperant reason XI at all. Hell, id rather use SMTP auth than first pop and then sending XI the mail, as its a pain in the ass to configure most mail clients to do XI POP before SMTP. certificate: You can copy thoses (extension .pem) from : freeBSD, vpopmail stuff cd /var/qmail/control cp /usr/local/cert/ipop3d.pem servercert.pem ln -s servercert.pem ./clientcert.pem XI Breached# ls /usr/local/cert/ipop3d.pem XI ls: /usr/local/cert/ipop3d.pem: No such file or directory XI hrm, thats FreeBSD BTW. Activate TLS by create a certificate, and You will be much better off to create an encrypted connecton to Your SMTP server by the SMTP Enc smtps 465/tcp#smtp protocol over TLS/SSL (was ssmtp) smtps 465/udp#smtp protocol over TLS/SSL (was ssmtp) snip 500 million line sig XI X-Istence XI -BEGIN PGP SIGNATURE- XI Version: GnuPG v1.2.4 (FreeBSD) XI Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org XI iD8DBQFAr8DYJukONu5DUaQRAt+1AJ4rE88Og4vvjtJmrr6an0jCZYrduwCgk1C5 XI WKsxNOR6msDCJFK7wwaboqs= XI =vm3x XI -END PGP SIGNATURE- 'SMTP after POP' is a technique. I clearly stated to do POP3-SSL, to have afterwards a 'SMTP after POP' functionality. You authenticate completely with encruption, You get the smtp server open due to Your authentication for several minutes (for Your IP, if You wish), and You have Your 'SMTP after POP'. If I try to define it 'SMTP after POP3_SSL', well we have a new definition. You can take worsds out of the sentense, espescialy when someone writes terrible English, like I do, but I really known every topic what You mean. First try to understand, and answer on the same road I explained and not of the road. And if some people start with flaming... The flamewar did NOT start with my message. It started with Mr Doctor Hoffmans words, I quote 'troll' Well if we You to the road of ego, I can put other things on the table, but this serves not this list, and it was already a waste of time. This is my final answer, You can help out the guy with his problem. I leave it all to You, nice guys. I have a company to run. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info *
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Jeremy, Friday, May 21, 2004, 3:47:18 PM, you wrote: JK On Friday, May 21, 2004 5:41 AM, DEBO Jurgen E. G. wrote: In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. JK Are you insinuating that this is not so with POP3 (or SMTP after POP) ? JK LOL JK Jeremy Kister JK http://jeremy.kister.com/ No not at all, were do You get this ? Maybe You read it Your way. You can authenticate with POP3-SSL, and have a SMTP after POP, so were is Your point, in this case ? What I insinuating was to use TLS for SMTP, and not SMTP Auth. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Erwin, Friday, May 21, 2004, 5:14:30 PM, you wrote: EH Hi, EH At 11:41 21.05.04 +0200, you wrote: Hello blist, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. EH Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK EH regards. EH --eh. EH Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ EH Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Jeremy, Friday, May 21, 2004, 5:20:40 PM, you wrote: JK On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. JK I am truly amazed at that statement. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. JK but most servers out there don't have TLS support so your email still goes JK across unencrypted. JK for instance, I use smtps to talk to my mail server, purely because I have it JK available (I'm not using smtp auth or anything) but I realize that when it JK leaves my server it's not encrypted. JK If you want end to end encryption of emails, most MUAs support pgp/gpg/s-mime JK encryption formats. JK -Jeremy I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps to secure the stream up to Your mailserver (one step), but in this step, You 'can' have many hops between You and Your workstation, so this stream is the first to protect anyway. I agree on the fact there aren't many TLS servers, but if everyone do his own part to install the TLS option, we have in a little decade a much nicer place to have secure mail transport. If people stich with smtp-auth, we never get there. A little bit out of topic, but same can be told about qmail-scanner and Spamm-ass. Two memory hogs due to perl. There are alternatives like qscan and dspam, but to find info to install it, a mess. So a lot use the easy road and stick with those perlscripts and downgrade their qmailserver. (note: even Your soft, courier-imap seems to have an option for spamass, would be nice to see Dspam(.org) instead) -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Nick, Friday, May 21, 2004, 8:02:19 PM, you wrote: NH [EMAIL PROTECTED] wrote: Hello Jeremy, Friday, May 21, 2004, 5:20:40 PM, you wrote: JK On Friday 21 May 2004 10:21 am, [EMAIL PROTECTED] wrote: EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. NH CRAM-MD5 makes it safer, not quite safe. Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. JK I am truly amazed at that statement. NH This sounds pretty ridiculous to me also. People who spend inordinate NH amounts of time actually worrying about having their traffic sniffed, NH probably shouldn't be using anything remotely resembling common internet NH protocols. NH snip Privacy issues are hot topic, You known. If You known, some 'sensitive' data is often maintained with a single mailbox. I give You some samples. A domainname You own, which can be stolen by impersonating You, by a hacked mailbox. Or someone, who use Your mailbox to contact your customers (if You have a company). Ok, with all worms out, it's common mailboxes are often spoofed, but it's realy embarrassing if the mail comes from Your servers ! When Your mailserver is server hops away from You, You consider encrypting the route to it. I wouldn't care someone snifs my browsing attitudes, but I wan't to keep my mails to my customers, my mails to maintain cvs or domainnaims protected, so it all starts with a secure mailserver. I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps to secure the stream up to Your mailserver (one step), but in this step, You 'can' have many hops between You and Your workstation, so this stream is the first to protect anyway. I agree on the fact there aren't many TLS servers, but if everyone do his own part to install the TLS option, we have in a little decade a much nicer place to have secure mail transport. If people stich with smtp-auth, we never get there. NH Some of us don't actually have the luxury of smtp-tls because we have NH one physical mail server, or cluster thereof, serving multiple domains. One physical server can hold many virtual servers in a Unix jail environment. NH These domains are all hidden from each other, so unless we start NH running separate smtpd instances, with their own configs, separate IPs NH we cannot present a certificate to each client that'd match what their NH mail client expects. Well, we do it that way. By the Jails and IP aliases. (note: even Your soft, courier-imap seems to have an option for spamass, would be nice to see Dspam(.org) instead) NH I think this'd be a show us the code request. There are quite a few NH ways to use spamassassin where its not a ridiculous memory hog NH (spamc/spamd for one). I prefer C code, don't You ? Take a look to dspam. Afterwards, You may have another point of view. With spam-ass You don't have problems, if You have a small user base. When You have a lot of users on Your mailserver, it brings any server to it knees, regardless of any setup. It's the overhead of perl. I prefer to gain the speed for other services, instead of loosing it to issues as spam. Qmail is a great server, but if You use perl scripts 'to manipulate' the mailqueue, You have something to worry about. Each e-mail triggers the scripts, first qmail-scanner, secondly spamm-ass. NH Cheers, NH Nick Harring NH Webley Systems -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[4]: [vchkpw] SMTP Auth HOWTO?
Hello Erwin, Friday, May 21, 2004, 7:37:15 PM, you wrote: EH Hi, EH At 17:21 21.05.04 +0200, you wrote: Hello Erwin, Friday, May 21, 2004, 5:14:30 PM, you wrote: EH Hi, EH At 11:41 21.05.04 +0200, you wrote: Hello blist, In the OLD days, people were happy with SMTP-Auth. I consider it LESS security as SMTP after POP, because with SMTP-Auth, You sent Your e-mailadress and Your password of Your mailbox over the internet. When a man-in-the-middle catch this e-mail (or worse Your PW), he can use it for spam, or access Your mailbox. EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. EH Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK Yes, it's 'quite' safe, but You still reveal Your e-mailadress. If there are many hops between Your workstation and the smtpserver, You can get some spam in return. More, Your mail is sent in plaintext. I prefer encrypted streams, so SUPP's patch which encrypts the stream with SSL, and authenticate afterwards (in plaintext) is still the best way to go, it's not a big effort to realize. EH Pls. tell us how you intend to communicate to the rest of the world by EH means of email with encrypted addresses. EH You are joking, troll. EH regards. EH --eh. EH Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ EH Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 To be rude and without respect, this was the speciality of Your ancestors when they pretended to be the most bright race on Earth. For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny their roots. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[2]: [vchkpw] SMTP Auth HOWTO?
Hello Patrick, Friday, May 21, 2004, 9:34:30 PM, you wrote: PD [EMAIL PROTECTED] wrote: PD Hello Erwin, PD Friday, May 21, 2004, 7:37:15 PM, you wrote: EH Hi, EH At 17:21 21.05.04 +0200, you wrote: PD Hello Erwin, PD Friday, May 21, 2004, 5:14:30 PM, you wrote: EH Hi, EH At 11:41 21.05.04 +0200, you wrote: PD Hello blist, PD In the OLD days, people were happy with SMTP-Auth. I consider it LESS PD security as SMTP after POP, because with SMTP-Auth, You sent Your PD e-mailadress and Your password of Your mailbox over the internet. PD When a man-in-the-middle catch this e-mail (or worse Your PW), he can PD use it for spam, or access Your mailbox. EH This is only true for SMTP Authentication of type plain and login. EH With CRAM-MD5 its quite save. EH Read: http://www.fehcom.de/qmail/smtpauth.html#FRAMEWORK PD Yes, it's 'quite' safe, but You still reveal Your e-mailadress. PD If there are many hops between Your workstation and the smtpserver, PD You can get some spam in return. PD More, Your mail is sent in plaintext. I prefer encrypted streams, PD so SUPP's patch which encrypts the stream with SSL, and authenticate PD afterwards (in plaintext) is still the best way to go, it's not a big PD effort to realize. EH Pls. tell us how you intend to communicate to the rest of the world by EH means of email with encrypted addresses. EH You are joking, troll. EH regards. EH --eh. EH Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/EH EH Wiener Weg 8, 50858 Cologne | T: +49 221 484 4923 | F: ...24 PD To be rude and without respect, this was the speciality of Your PD ancestors when they pretended to be the most bright race on Earth. PD For Your records annoo 1914-18, 1940-1945. Clearly, some can't deny PD their roots. PD Ahhh...yes! A flame war...always nice :) I quote from the one who has bringing 'the gas': EH You are joking, troll Well, I did't start. This list is to help people. It's not about to be picky or to be arrogant, if someone share another view, he has the right to put his vision forward and to defend his case. You can discuss topics without insulting people and without words like 'troll', maintained in the directory of Dr. Erwin Hoffmann. Maybe I write terrible English, but I am on the internet for a few decades, and some use our programs quite a lot in their BSD stuff. I don't need insults of someone, who thinks to have the right to insult people, because he has a PhD. -- Best regards, DEBO Jurgen mailto:[EMAIL PROTECTED] www.guide.be * www.gids.be * www.guide.fr * www.shop.fr / \ sarl GUIDE (sdet) --- the GUIDE, de GIDS, TELESHOP, SHOP __ | __ 128, rue du faubourg de Douai | / | \ |FR-59000 Lille, La France / \ | / \ Tél/Fax +32 59 26.91.51 Mobile +32 479 212.841 /|__\|/__|\ Sitehttp://sarl.guide.fr \| /|\ |/ N° TVA FR-55.440.243.988 |\ / | \ /|RC Lille 74075/2001B01478 |__\ | /__|Siret 440 243 988 00027 | Compte BE: KREDBEBB (BIC) BE56.466-5571951-88 (IBAN) --- Compte FR: CMCIFR2A (BIC) FR76.1562-9027-0200-0455-1870-127 (IBAN) \ / Conditions (terms): http://sarl.guide.fr/conditions.php www.teleshop.fr * www.teleshop.be * www.teleshop.biz * www.teleshop.info * www.teleshop.name
Re[4]: [vchkpw] SMTP Auth HOWTO?
Hello Nick, Friday, May 21, 2004, 10:13:29 PM, you wrote: NH Return-Path: [EMAIL PROTECTED] NH Delivered-To: [EMAIL PROTECTED] NH Received: (qmail 98433 invoked by uid 1017); 21 May 2004 20:24:45 - NH Received: from venus.teleshop.name NH by localhost with POP3 (fetchmail-6.2.5) NH for [EMAIL PROTECTED] (multi-drop); Fri, 21 May 2004 22:24:45 +0200 (CEST) NH Received: from venus.teleshop.name ([unix socket]) (author=jurgen_0001) NH by venus.teleshop.name (Cyrus v2.0.17); Fri, 21 May 2004 20:15:43 + NH X-Sieve: cmu-sieve 2.0 NH Envelope-to: [EMAIL PROTECTED] NH Delivery-date: Fri, 21 May 2004 20:15:43 + NH Received: from mail.inter7.com ([209.218.8.20]) NH by venus.teleshop.name with smtp (Exim 3.36 #1) NH id 1BRGQf-000FiL-00 NH for [EMAIL PROTECTED]; Fri, 21 May 2004 20:15:41 + NH Received: (qmail 10317 invoked by uid 511); 21 May 2004 20:15:38 - NH Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm NH Precedence: bulk NH List-Post: mailto:[EMAIL PROTECTED] NH List-Help: mailto:[EMAIL PROTECTED] NH List-Unsubscribe: mailto:[EMAIL PROTECTED] NH List-Subscribe: mailto:[EMAIL PROTECTED] NH Reply-To: [EMAIL PROTECTED] NH Delivered-To: mailing list [EMAIL PROTECTED] NH Received: (qmail 10307 invoked by uid 0); 21 May 2004 20:15:38 - NH Message-ID: [EMAIL PROTECTED] NH From: Nick Harring [EMAIL PROTECTED] NH To: Nick Harring [EMAIL PROTECTED] NH Date: Fri, 21 May 2004 15:13:29 -0500 NH MIME-Version: 1.0 NH X-Mailer: Internet Mail Service (5.5.2655.55) NH Content-Type: multipart/alternative; NH boundary=_=_NextPart_001_01C43F70.5399BB8C NH X-Spam-Score: -98.048 Required 6 NH X-Scanned-By: MIMEDefang 2.37 NH Subject: Re: Re[2]: [vchkpw] SMTP Auth HOWTO? NH X-Fetchmail-Warning: recipient address [EMAIL PROTECTED] didn't match any local name NH On Fri, 2004-05-21 at 14:36, [EMAIL PROTECTED] wrote: Hello Nick, Friday, May 21, 2004, 8:02:19 PM, you wrote: NH snip NH snip Privacy issues are hot topic, You known. If You known, some 'sensitive' data is often maintained with a single mailbox. I give You some samples. A domainname You own, which can be stolen by impersonating You, by a hacked mailbox. Or someone, who use Your mailbox to contact your customers (if You have a company). Ok, with all worms out, it's common mailboxes are often spoofed, but it's realy embarrassing if the mail comes from Your servers ! When Your mailserver is server hops away from You, You consider encrypting the route to it. I wouldn't care someone snifs my browsing attitudes, but I wan't to keep my mails to my customers, my mails to maintain cvs or domainnaims protected, so it all starts with a secure mailserver. NH Encrypting traffic between your mail client and your mail server has NH very little to do with what you're talking about. Keeping email secure NH is completely different from encrypting the stream of conversation NH between you and your smtp server. Yes, i understand what You mean. But I am talking about the security issue, not to neglect the security issues when You connect from 'Your home', very often in a C-range/mask 255.255.255.0 with others, You pass a gateway, several routers to reach Your mailserver and You log in, in an unsecured way. With SMTP-auth, You sent in plain or cram Your mailadress and password, which is the same as Your POP(S) account. Every hop can trace Your mailadress and password. Using smtps, You don't have this problem. Encrypting the stream. If You have many customers on the same mailserver, You prefer to encrypt it, because the mail goes encrypted from You to them, and visa versa. There are no other servers involved. I agree on the matter, when You leave Your mailserver to others. In this case, You are correct. NH Even protecting privacy doesn't really NH enter into encrypting this stream. NH Real security comes from applications of cryptography to provide NH identity and content verification, not just content obfuscation. PGP/GPG NH signing each email to validate content and identity of origin is a big NH start. PGP encrypting the contents of sensitive messages directed to NH specific recipients is an even bigger next step. However the email NH infrastructure, and its often undirected recipients, makes this a NH difficult proposition. Right now we have on the serverlevel : virusdetection and spam detection. serverside-signed mails shouldn't be such problem when using the dot qmail ? I agree on this. But why to promote smtp-auth in plaintext, cram when You have smtps to secure the stream up to Your mailserver (one step), but in this step, You 'can' have many hops between You and Your workstation, so this stream is the first to protect anyway. I agree on the fact there aren't many TLS servers, but if everyone do his own part to install the TLS option, we have in a little decade a much nicer place to have secure mail transport. If people stich with smtp-auth,
