[xmail] Re: XMail + SSL patch
The risk of someone bothering to parse packets and retrieve your passwords in order to gain access to user email is, I think, extremely small unless you have information that people really want to read, in which case it is easy to do. In other words, almost anyone can get a password from plain text email, but almost no one in most cases of standard email would bother wasting their time. On the other hand, if you have email or email accounts that need to be secure for specific reasons then it is mandatory that you use some form of encryption (such as SSL, etc.) because the email is easily read, and the passwords if passed in plain text are easy to retrieve. I hope that helps... Jeff Ross Gohlke wrote: I have tried to install the patch linked from the XMail homepage: http://mail.godeltech.com/xmail/ My specs: FreeBSD 5.3 openssl-0.9.7d I downloaded the patch and applied it to my preexisting XMail 1.2.1 source. I did not use the binary for FreeBSD 4.8. gmake -f Makefile-SSL.bsd outputs this: %gmake -f Makefile-SSL.bsd ../bin/MkMachDep SysMachine.h g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SSLSupport.cpp SSLSupport.cpp:161:8: warning: extra tokens at end of #endif directive g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c BuffSock.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c MailSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c POP3Svr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c POP3Utils.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMAILSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMAILUtils.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMTPSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMTPUtils.cpp g++ -o bin/XMail SSLSupport.o BuffSock.o CTRLSvr.o DynDNS.o DNS.o DNSCache.o Errors.o ExtAliases.o FINGSvr.o MailConfig.o MailSvr.o Maildir.o MailDomains.o MD5.o MiscUtils.o LMAILSvr.o AliasDomain.o POP3GwLink.o POP3Svr.o POP3Utils.o PSYNCSvr.o ResLocks.o SList.o SMAILSvr.o TabIndex.o SMAILUtils.o SMTPSvr.o SMTPUtils.o ShBlocks.o StrUtils.o MessQueue.o QueueUtils.o SvrUtils.o SysDep.o UsrMailList.o UsrAuth.o UsrUtils.o Main.o Base64Enc.o Filter.o -lkvm -lcrypt -pthread -lc_r -lssl -lcrypto SSLSupport.o(.text+0x388): In function `SSLMakeSession(int, int, int)': : undefined reference to `SysSetSockNoDelay(int, int)' POP3Utils.o(.text+0xe08): In function `UPopSessionSendMsg(POP3_HANDLE_struct*, int, BSOCK_HANDLE_struct*)': : undefined reference to `SysSendFile(BSOCK_HANDLE_struct*, char const*, unsigned long, unsigned long, int)' SMTPUtils.o(.text+0x28b6): In function `USmtpSendMail(SMTPCH_HANDLE_struct*, char const*, char const*, FileSection const*, SMTPError*)': : undefined reference to `SysSendFile(BSOCK_HANDLE_struct*, char const*, unsigned long, unsigned long, int)' gmake: *** [bin/XMail] Error 1 Is anybody else interested in SSL-encrypted SMTP authentication? Is anybody else using this patch? On FreeBSD 5.3? Any suggestion on what I could try? Would upgrading openssl to openssl-0.9.7e help? If not SSL, what is the risk of a plaintext password sent over the Internet being picked off and abused? Thanks. Ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
The risk of someone bothering to parse packets and retrieve your passwords in order to gain access to user email is, I think, extremely small unless you have information that people really want to read, in which case it is easy to do. In other words, almost anyone can get a password from plain text email, but almost no one in most cases of standard email would bother wasting their time. On the other hand, if you have email or email accounts that need to be secure for specific reasons then it is mandatory that you use some form of encryption (such as SSL, etc.) because the email is easily read, and the passwords if passed in plain text are easy to retrieve. I hope that helps... I would like to protect the email. Are there other (or better) forms of encryption (or other approaches) available in XMail? ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
I would like to protect the email. Are there other (or better) forms of encryption (or other approaches) available in XMail? There is always PGP and the like.. -darren - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
You might consider using stunnel. I think it's available for Windows (definitely for GNU/Linux). Adrian Hicks On Friday 09 September 2005 14:50, Jeff Buehler wrote: The risk of someone bothering to parse packets and retrieve your passwords in order to gain access to user email is, I think, extremely small unless you have information that people really want to read, in which case it is easy to do. In other words, almost anyone can get a password from plain text email, but almost no one in most cases of standard email would bother wasting their time. On the other hand, if you have email or email accounts that need to be secure for specific reasons then it is mandatory that you use some form of encryption (such as SSL, etc.) because the email is easily read, and the passwords if passed in plain text are easy to retrieve. I hope that helps... Jeff Ross Gohlke wrote: I have tried to install the patch linked from the XMail homepage: http://mail.godeltech.com/xmail/ My specs: - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Am 9.9.2005 schrieb Adrian Hicks [EMAIL PROTECTED]: You might consider using stunnel. I think it's available for Windows (definitely for GNU/Linux). Yes it is! Can be found here: http://www.stunnel.org/download/binaries.html But using stunnel is preferred using SSL secured IRC connections - I'm not sure it works in this case. -- Regards, Alexander 'xaitax' Hagenah http://xmail.topconcepts.net - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
As far as I know stunnel can provide a secure tunnel for any TCP port. I've used it for secure LDAP connections in the past. Adrian Hicks On Friday 09 September 2005 17:55, [EMAIL PROTECTED] wrote: Am 9.9.2005 schrieb Adrian Hicks [EMAIL PROTECTED]: You might consider using stunnel. I think it's available for Windows (definitely for GNU/Linux). Yes it is! Can be found here: http://www.stunnel.org/download/binaries.html But using stunnel is preferred using SSL secured IRC connections - I'm not sure it works in this case. -- Regards, Alexander 'xaitax' Hagenah http://xmail.topconcepts.net - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] --- [This E-mail was scanned for viruses.] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
On 09.09.2005 11:55, [EMAIL PROTECTED] wrote: Am 9.9.2005 schrieb Adrian Hicks [EMAIL PROTECTED]: You might consider using stunnel. I think it's available for Windows (definitely for GNU/Linux). Yes it is! Can be found here: http://www.stunnel.org/download/binaries.html But using stunnel is preferred using SSL secured IRC connections - I'm not sure it works in this case. works for wrapping every tcp connection :) - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Am 9.9.2005 schrieb Sönke Ruempler [EMAIL PROTECTED]: works for wrapping every tcp connection :) I know that. But did u try it out? There are lots of sites in the wild, where troubles are explained using Stunnel. But well, it might work - give it a try Ross. -- Regards, Alexander 'xaitax' Hagenah http://xmail.topconcepts.net - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
[EMAIL PROTECTED] wrote on Friday, September 09, 2005 12:16 PM: Am 9.9.2005 schrieb Sönke Ruempler [EMAIL PROTECTED]: works for wrapping every tcp connection :) I know that. But did u try it out? There are lots of sites in the wild, where troubles are explained using Stunnel. Yes i did, even with XMail some time ago. stunnel does nothing other than wrapping a tcp connection into SSL/TLS. - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Am 9.9.2005 schrieb Sönke Ruempler [EMAIL PROTECTED]: Yes i did, even with XMail some time ago. I never said, it won't work - I only mentioned, that stunnel causes often problems. I also wrote, that he could try it out and then he will see if it works - or won't. -- Regards, Alexander 'xaitax' Hagenah http://xmail.topconcepts.net - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
It would be nice to get SSL working with XMail - if I can get some time together today, Ross, I will try compiling the SSL patch for XMail 1.21 under FreeBSD 5.4, and see if I can get it working. Jeff Alexander Hagenah wrote: Am 9.9.2005 schrieb Sönke Ruempler [EMAIL PROTECTED]: Yes i did, even with XMail some time ago. I never said, it won't work - I only mentioned, that stunnel causes often problems. I also wrote, that he could try it out and then he will see if it works - or won't. -- Regards, Alexander 'xaitax' Hagenah http://xmail.topconcepts.net - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Alas, I'm on FreeBSD! Is there Linux stunnel? PGP would protect the mail itself, but is a separate issue from securing SMTP Auth, no? What I'm trying to do right now is protect the ACCOUNT INFORMATION. Even if it's unlikely that someone would sniff my users' packets, what's to stop a spammer from snagging random SMTP username/pass of the Net and using that server to send spam? I'm just trying to be consistent. For anyone running a commercial service for users, such issues must be considered. Thanks for all the feedback. But well, it might work - give it a try Ross. ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Wow, that would be great! Also, the current openssl is 0.9.7g, what version should I be using? Do you need any more information from me? Also, I'm on FreeBSD 5.3, think it will still work? Someone suggested md5 passwords, but this is client-dependent. I use Thunderbird on Mac OS 10.4. I have not seen a copy of Outlook for years. Is SSL support more ubiqitous in email clients than md5 option? Jeff Buehler wrote: It would be nice to get SSL working with XMail - if I can get some time together today, Ross, I will try compiling the SSL patch for XMail 1.21 under FreeBSD 5.4, and see if I can get it working. Jeff - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Well, that was easy! It compiled and linked without difficulty on my FreeBSD 5.4 platform. My openssl is version 0.9.7e, however ... try upgrading to that and see if you have better luck... Jeff Ross Gohlke wrote: I have tried to install the patch linked from the XMail homepage: http://mail.godeltech.com/xmail/ My specs: FreeBSD 5.3 openssl-0.9.7d I downloaded the patch and applied it to my preexisting XMail 1.2.1 source. I did not use the binary for FreeBSD 4.8. gmake -f Makefile-SSL.bsd outputs this: %gmake -f Makefile-SSL.bsd ../bin/MkMachDep SysMachine.h g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SSLSupport.cpp SSLSupport.cpp:161:8: warning: extra tokens at end of #endif directive g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c BuffSock.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c MailSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c POP3Svr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c POP3Utils.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMAILSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMAILUtils.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMTPSvr.cpp g++ -O2 -I. -DUSE_SSL -D__UNIX__ -D__BSD__ -D__FREEBSD__ -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAS_SYSMACHINE -c SMTPUtils.cpp g++ -o bin/XMail SSLSupport.o BuffSock.o CTRLSvr.o DynDNS.o DNS.o DNSCache.o Errors.o ExtAliases.o FINGSvr.o MailConfig.o MailSvr.o Maildir.o MailDomains.o MD5.o MiscUtils.o LMAILSvr.o AliasDomain.o POP3GwLink.o POP3Svr.o POP3Utils.o PSYNCSvr.o ResLocks.o SList.o SMAILSvr.o TabIndex.o SMAILUtils.o SMTPSvr.o SMTPUtils.o ShBlocks.o StrUtils.o MessQueue.o QueueUtils.o SvrUtils.o SysDep.o UsrMailList.o UsrAuth.o UsrUtils.o Main.o Base64Enc.o Filter.o -lkvm -lcrypt -pthread -lc_r -lssl -lcrypto SSLSupport.o(.text+0x388): In function `SSLMakeSession(int, int, int)': : undefined reference to `SysSetSockNoDelay(int, int)' POP3Utils.o(.text+0xe08): In function `UPopSessionSendMsg(POP3_HANDLE_struct*, int, BSOCK_HANDLE_struct*)': : undefined reference to `SysSendFile(BSOCK_HANDLE_struct*, char const*, unsigned long, unsigned long, int)' SMTPUtils.o(.text+0x28b6): In function `USmtpSendMail(SMTPCH_HANDLE_struct*, char const*, char const*, FileSection const*, SMTPError*)': : undefined reference to `SysSendFile(BSOCK_HANDLE_struct*, char const*, unsigned long, unsigned long, int)' gmake: *** [bin/XMail] Error 1 Is anybody else interested in SSL-encrypted SMTP authentication? Is anybody else using this patch? On FreeBSD 5.3? Any suggestion on what I could try? Would upgrading openssl to openssl-0.9.7e help? If not SSL, what is the risk of a plaintext password sent over the Internet being picked off and abused? Thanks. Ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
By the way, while it is possible, I think the likelihood of spammers going to the effort to retrieve packets to use your server for spamming is extremely low. I have never heard of anyone going to the effort to sniff packets simply to spam on commercial servers - none of the big commercial servers use SSL for regular email transactions - Comcast, SBC, and so on - and they have a lot more at risk than most of us. Also, it is a potentially pretty big bust these days since once they use an ill-gained password they have stepped over the law, so if they manage to cause damage with it they might be tracked down like dogs (with your help, of course!) Lastly, SSL is not very efficient since it takes time to encrypt and then decrypt. Personally I would only use it for transactions that are required to be secure, not for daily emailing. Anyway, if you still want to use it, I would try updating your openssl either to the newest version or to 0.9.7e (which I know works on my system). Jeff Ross Gohlke wrote: Alas, I'm on FreeBSD! Is there Linux stunnel? PGP would protect the mail itself, but is a separate issue from securing SMTP Auth, no? What I'm trying to do right now is protect the ACCOUNT INFORMATION. Even if it's unlikely that someone would sniff my users' packets, what's to stop a spammer from snagging random SMTP username/pass of the Net and using that server to send spam? I'm just trying to be consistent. For anyone running a commercial service for users, such issues must be considered. Thanks for all the feedback. But well, it might work - give it a try Ross. ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
On FreeBSD there is a port of stunnel: /usr/ports/security/stunnel Jeff Ross Gohlke wrote: Alas, I'm on FreeBSD! Is there Linux stunnel? PGP would protect the mail itself, but is a separate issue from securing SMTP Auth, no? What I'm trying to do right now is protect the ACCOUNT INFORMATION. Even if it's unlikely that someone would sniff my users' packets, what's to stop a spammer from snagging random SMTP username/pass of the Net and using that server to send spam? I'm just trying to be consistent. For anyone running a commercial service for users, such issues must be considered. Thanks for all the feedback. But well, it might work - give it a try Ross. ross - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
-Message d'origine- De : Ross Gohlke [mailto:[EMAIL PROTECTED] Envoyé : vendredi 9 septembre 2005 17:45 À : xmail@xmailserver.org Objet : [xmail] Re: XMail + SSL patch Alas, I'm on FreeBSD! Is there Linux stunnel? PGP would protect the mail itself, but is a separate issue from securing SMTP Auth, no? What I'm trying to do right now is protect the ACCOUNT INFORMATION. Even if it's unlikely that someone would sniff my users' packets, what's to stop a spammer from snagging random SMTP username/pass of the Net and using that server to send spam? I'm just trying to be consistent. Really I never seen spam programs using existing username/passwords !! Nor I see spam programs trying to authenticate ... But it could be in future The only cases for this type of spam attack are generaly due to previous intrusion in mail servers to get the accounts infos ... so protect you server carefully ... And on the customer side, it is the customer responsability to protect the accounts informations ... For anyone running a commercial service for users, such issues must be considered. We do commercial services (and many xmail admins on this list too), and most use 'standard' auths because most client softwares accept them and easier to configure at client side that any 'tunnel'. In these 'rare' cases, you could use the other tunneling protocols (ipsec, pptp, l2tp) between the 'secret' customers and you server because these protocols are generally supported by many os (linux, freebsd, windows) on customer side. Thanks for all the feedback. But well, it might work - give it a try Ross. ross Francis - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
Jeff Buehler wrote: By the way, while it is possible, I think the likelihood of spammers going to the effort to retrieve packets to use your server for spamming is extremely low. I have never heard of anyone going to the effort to sniff packets simply to spam on commercial servers - none of the big commercial servers use SSL for regular email transactions - Comcast, SBC, and so on - and they have a lot more at risk than most of us. Also, it is a potentially pretty big bust these days since once they use an ill-gained password they have stepped over the law, so if they manage to cause damage with it they might be tracked down like dogs (with your help, of course!) It's hard to find the balance between paranoid and exposed... Lastly, SSL is not very efficient since it takes time to encrypt and then decrypt. Personally I would only use it for transactions that are required to be secure, not for daily emailing. So if SSL is used, does it encrypt the ENTIRE MESSAGE, not just authentication? Does it hog the processor or just make the user wait? For how long? 5 or 50 extra seconds on an average email? What about attachments? Encrypted email is definitely a service I want to offer. I think the stakes for email are only going to get higher, especially if SPF or similar takes hold. ISPs will have to get increasingly vigilant about how they do email. Here's a googled list of clients that support SSL. http://www.uni.edu/its/us/document/unimail/ssl/ Anyway, if you still want to use it, I would try updating your openssl either to the newest version or to 0.9.7e (which I know works on my system). Should I just download the patch from the same place in your website? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
[xmail] Re: XMail + SSL patch
You should ALWAYS be able to tell if someone is abusing your system by doing a somewhat regular log analysis, at least in my opinion. If I were to implement SSL, I would do this log analysis regularly anyway. This is the only way I know of that many system attacks can be discovered - vigilance on the part of a human and overall system-awareness. Many admins scan the logs only after the fact - I think this is inadequate. So it doesn't seem to me that using SSL in a general way would provide any real extra security, just extra processing time. It's best use is to make certain that an email is encrypted so that it can't be read by intermediary servers, not to prevent spammers from getting a hold of account passwords. In the case you mention, I consider it far more likely that a user would reveal their password inadvertently to a would-be hacker/spammer who would then use it to gain access, or that a user would use a simple to crack password, or some other entry point - SSL of would not help with any of this. I tell all my users not to send any email they aren't comfortable being public knowledge. SSL would correct this. It is a good service to offer for those who need it, though! For those who need to send email with industry secrets, credit card numbers, drug deals, spy vs. spy, radical anarchist viewpoints, and so on! I can't tell you what the overhead is exactly for SSL, although on a fast system it wouldn't be anywhere near 5 seconds for any but extremely large messages. However, if you are processing a lot of email, and especially allowing large attachments and the like, overall you may feel the burn! Jeff Ross Gohlke wrote: Jeff Buehler wrote: By the way, while it is possible, I think the likelihood of spammers going to the effort to retrieve packets to use your server for spamming is extremely low. I have never heard of anyone going to the effort to sniff packets simply to spam on commercial servers - none of the big commercial servers use SSL for regular email transactions - Comcast, SBC, and so on - and they have a lot more at risk than most of us. Also, it is a potentially pretty big bust these days since once they use an ill-gained password they have stepped over the law, so if they manage to cause damage with it they might be tracked down like dogs (with your help, of course!) It's hard to find the balance between paranoid and exposed... Lastly, SSL is not very efficient since it takes time to encrypt and then decrypt. Personally I would only use it for transactions that are required to be secure, not for daily emailing. So if SSL is used, does it encrypt the ENTIRE MESSAGE, not just authentication? Does it hog the processor or just make the user wait? For how long? 5 or 50 extra seconds on an average email? What about attachments? Encrypted email is definitely a service I want to offer. I think the stakes for email are only going to get higher, especially if SPF or similar takes hold. ISPs will have to get increasingly vigilant about how they do email. Here's a googled list of clients that support SSL. http://www.uni.edu/its/us/document/unimail/ssl/ Anyway, if you still want to use it, I would try updating your openssl either to the newest version or to 0.9.7e (which I know works on my system). Should I just download the patch from the same place in your website? - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe xmail in the body of a message to [EMAIL PROTECTED] For general help: send the line help in the body of a message to [EMAIL PROTECTED]
