Re:sendmail patch for smtps (SSL-SMTP)?
[...] No, just installing an SSL wrapper/port redirector in front of SMTP will not work. Unlike pops and imaps, smtps involves more than just wrapping SMTP in SSL and running the service on a new port. Actually, the "simple wrapping" has been deprecated also for POP3 and IMAP, essentially to save port numbers and simplify the firewall setup. There are IETF drafts about using the "STARTTLS" mechanism also for those protocols: they can be found searching the draft pages at www.ietf.org . Enzo
RE: sendmail patch for smtps (SSL-SMTP)?
From: Enzo Michelangeli [mailto:[EMAIL PROTECTED]] Actually, the "simple wrapping" has been deprecated also for POP3 and IMAP, essentially to save port numbers and simplify the firewall setup. There are IETF drafts about using the "STARTTLS" mechanism also for those protocols: they can be found searching the draft pages at www.ietf.org . Ouch. Seems somebody is busy making certain that one won't be able to use standard US distributions of these implementations much longer to trivially implement the secure protocols by adding a wrapper. This is very bad news, indeed. As for simplifying the firewall setup, I would question that forcing a secure and an insecure service to run on the same port adds to the security of a site. Thanks for the info, --Lucky
Re: sendmail patch for smtps (SSL-SMTP)?
"Lucky Green" [EMAIL PROTECTED] writes: Ouch. Seems somebody is busy making certain that one won't be able to use standard US distributions of these implementations much longer to trivially implement the secure protocols by adding a wrapper. This is very bad news, indeed. The IETF is more interested in having well-engineered protocols than in making it easy to use US implementations. The port explosion was a real problem, and security done through wrappers makes some security problems (like authorization) harder, not easier. Regardless, the STARTTLS command as usually spec'd could probably be implemented as a wrapper, it would just have to be more complicated than a simple wrapper. As for simplifying the firewall setup, I would question that forcing a secure and an insecure service to run on the same port adds to the security of a site. This encourages sites to deprecate the insecure service in favor of the secure one. In the long run, this increases security and reduces the need for firewalls, which as often as not give false security. Marc
