Re: IMAP with TLS
Gary [EMAIL PROTECTED] rašė: Hi Vilius, On Wed, 16 May 2007 00:47:05 +0300 UTC (5/15/2007, 4:47 PM -0500 UTC my time), Vilius Šumskas wrote: because TB! is the only client on the face of the planet which will not allow you to accept an expired cert, you have to install Stunnel and configure it manually, then open up that first, then use TB! for that server. You see the good people at Ritlabs will not allow you to trust yourself to make a judgment whether you are smart enough to accept certs that have expired on IMAP servers. V Actually this is very good decision. Many users just don't read what's V written on every popup. They press YES YES YES. so ? If they have an IMAP account, they should not have to press YES after the first go-around to accept the cert permanently. We are not talking about every popup. It is standard procedure when first using an IMAPS account, to ask one time, whether you wish to accept a cert, and if so, permanently, no big deal. Standard procedure if you use SSL and IMAP. V And why on earth people use a certificate if it is expired? (or self V signed)? I have been using one on a remote server, (along with my other customers) for years, after it expired. It originally had a life of 3 years. Why should I replace it? Does it not still encrypt the connection? V It can be very easily compromised and by accepting such certificate you V NEVER know if it comes from your server of from 3rd person in between. You have fallen under the misconception of the compromised server syndrome :) There is nothing to be compromised whether you use an expired cert or not. See below please for the real understanding. 1. Your mail client has to find the server using DNS published records which points to the IMAP server. Hardly room for any man-in-the- middle attacks, since it is extremely difficult to poison DNS servers, let alone to find the DNS server that you would be using. 2. Here is where your above statement is flawed. In order to log in your server, you have to AUTHENTICATE you must provide a password or in combo with CRAM-MD5 or some such, although it could be plain. Most importantly 3. IMAP certs do *nothing* except to encrypt the connection from the client to the server. It has nothing to do with authentication, nothing to do with compromising a server. We are not talking about e-commerce here, where you send your credit card over the wire. We are talking about encrypting a connection to/from an IMAP server. You still have to authenticate, if the server is worth anything, and not a public server, in which case just use port 143 without SSL. It is the authentication that is important. It is possible to reverse engineer private key from a public key, especially if you are using less than 1024bit private key encryption (and please remember that for example in USA it is _enforced_ by law). All you need is time. It is adviced to change your private/public key pairs from time to time. This way you can be sure that the key was not broken, stolen or compromised in any other way. That's why valid from and valid to field was introduced in X.509 in the first place. You can think of it like password expiration. In other words, certificate is a vehicle of cryptographic trust and users should not trust certificate if it is expired. 4. Every other email client allows the user to choose whether he wishes to accept a cert, any cert for IMAP. I'm a grown up guy, and I can make my own decisions if I want to accept a cert or not. Jumping through hoops to get to an IMAP server, after you used Stunnel a few 1000 times, is just a pain - unnecessary I might add. It is just easier to use another client. And how do you know that first time that you are accepting certificate from a server if it is self-signed? I can easily view properties of such certificates create my own CA and create exactly the same certificate from the properties point of view. And not everyone has a direct connection to the server to accept it that first time. -- Best Regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: Lots of conditions in filter
On Tue, 15 May 2007 20:10:46 +0700 GMT, Thomas wrote: snip FB Is this a known problem? Yes, it is. The New Filtering System (NFS), which is not so new anymore, uses Windows handles in abundance, which is the problem. There is no BT entry, because Ritlabs says it works as designed. The workaround is to use only one filter condition header contains any of, followed by the different headers, instead of many header contains conditions. Another workaround (not so elegant, but faster) is to create a new filter when you want to add conditions. Great to know that I'm not the first to stumble upon this problem. I switched my filters over to contains any of, but do now quite understand what the separator should be. But I will ask this on the UserList instead. To stay on topic I can say that enabling the contains any of and adding all the search words to one line gave me this result: http://company.klocktornet.com/containsanyof.png I can get around this by maximizing the Sorting Office window and re-selecting the filter in question, then the line will be visible again. Scary stuff. -- /Fredrik The Bat! 3.99.3 on Windows XP 5.1 2600 Service Pack 2 Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: Lots of conditions in filter
Hello Fredrik, On Wed, 16 May 2007 08:33:46 +0200 GMT (16/05/2007, 13:33 +0700 GMT), Fredrik Bergström wrote: FB Great to know that I'm not the first to stumble upon this problem. FB I switched my filters over to contains any of, but do now quite FB understand what the separator should be. But I will ask this on the FB UserList instead. I had to try this out, too. The seperator is new line. FB To stay on topic I can say that enabling the contains any of and FB adding all the search words to one line gave me this result: FB http://company.klocktornet.com/containsanyof.png I cannot confirm. FB I can get around this by maximizing the Sorting Office window and FB re-selecting the filter in question, then the line will be visible FB again. Hm. FB Scary stuff. It's a bat, after all. ;-) -- Cheers, Thomas. Als Humboldt den Chimborasso bestieg, war die Luft so duenn, dass er nicht mehr ohne Brille lesen konnte. http://thomas.fernandez.hat-gar-keine-homepage.de/ Message reply created with The Bat! 3.99.3 under Windows XP 5.1 Build 2600 Service Pack 2 Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: large font usage problems
Ok, now I get it. Turn down your coffee input or cut back on the sugar :))) You are hyperactive for a while now :)) yikes. didn't intend to outperform ya, Vil'. :))) -- Vili Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
On Wed, May 16, 2007 at 07:51:38AM +0300 or thereabouts, vitalie vrabie wrote: Gary wrote: decisions if I want to accept a cert or not. Jumping through hoops to get to an IMAP server, after you used Stunnel a few 1000 times, is just a pain - unnecessary I might add. It is just easier to use another client. after all, will you trust servers with expired certificates (read: unmaintained ones)? sure, if the admin sends me the cert. Once again, you still have to authenticate to get into the server. once again, SSL does nothing more than encrypt the connection. Don't want it, don't use it, use port 143 without SSL period. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
On Wed, May 16, 2007 at 09:32:43AM +0300 or thereabouts, Vilius ??umskas wrote: 2. Here is where your above statement is flawed. In order to log in your server, you have to AUTHENTICATE you must provide a password or in combo with CRAM-MD5 or some such, although it could be plain. Most importantly 3. IMAP certs do *nothing* except to encrypt the connection from the client to the server. It has nothing to do with authentication, nothing to do with compromising a server. We are not talking about e-commerce here, where you send your credit card over the wire. We are talking about encrypting a connection to/from an IMAP server. You still have to authenticate, if the server is worth anything, and not a public server, in which case just use port 143 without SSL. It is the authentication that is important. It is possible to reverse engineer private key from a public key, especially if you are using less than 1024bit private key encryption (and please remember that for example in USA it is _enforced_ by law). All you need is time. It is adviced to change your private/public key pairs from time to time. This way you can be sure that the key was not broken, stolen or compromised in any other way. That's why valid from and valid to field was introduced in X.509 in the first place. You can think of it like password expiration. so what, the above is all public knowledge, common stuff, basic info. It has nothing to do with IMAPS. You spend your time for years with 1000s of clustered computers to reverse engineer a private key.. For IMAP ! give me a break! We are talking about IMAP here, not e-commerce. You seem to forget that. You STILL have to auth into an IMAP(s) server, period. Don't want to use it, then don't, or use port 143, standard protocol, whereupon you would still need to authenticate. Your above paragraph is general info for the newbie, and not specific to IMAPS, and has nothing to do with the topic. In other words, certificate is a vehicle of cryptographic trust and users should not trust certificate if it is expired. Then don't use it for IMAPS, use port 143... very basic stuff... 4. Every other email client allows the user to choose whether he wishes to accept a cert, any cert for IMAP. I'm a grown up guy, and I can make my own decisions if I want to accept a cert or not. Jumping through hoops to get to an IMAP server, after you used Stunnel a few 1000 times, is just a pain - unnecessary I might add. It is just easier to use another client. And how do you know that first time that you are accepting certificate from a server if it is self-signed? read up on DNS. Have you ever built DNS servers professionally, or maintained at least one? Do you understand how it works. Have you ever built email/IMAP/POP servers professionally, or maintained one or 100s of them? You don't want to use self-signed for basic IMAPs, don't use it, use the standard port once again, you have to auth on to get into the server, It is the authentication, e.g. plain, CRAM-MD5, RADIUS server, etc that gets you into the server. Whether you want to use SSL or in the clear, it is your choice. YOU GET a CHOICE with other clients. You seem to forgot that every other IMAP email client, roughly 250 of them, allow you to accept the cert. *They give you the choice* to do so, for one time use only, or permanently, or not at all. This IS the point. I can easily view properties of such certificates create my own CA and create exactly the same certificate from the properties point of view. so what. Can you easily authenticate using someones password to get into the server? Do you finally get my point, instead of your generalized ramblings about a self-signed cert, or less importantly giving a probability of reverse engineering a cert? When a new account signs up on my servers, I send him a package which includes the cert for him to install. Their company can use it, or not,. it is *their* choice. You get choices, not decisions made for you by TB! saying you cannot use it if it is expired after its time. Have the admin send you the cert when you sign up for an account And not everyone has a direct connection to the server to accept it that first time. Are you talking about a company firewall, or proxy... Other than that, just exactly how would you not have a direct connection to your theoretical first time? (which you would not need if the admin sent a cert to begin with) Sorry, I'm too busy to spend any more time on this general, way off topic, nonsense. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Vilius, On Wed, 16 May 2007 00:47:05 +0300 GMT (16/05/2007, 04:47 +0700 GMT), Vilius Šumskas wrote: because TB! is the only client on the face of the planet which will not allow you to accept an expired cert, you have to install Stunnel and configure it manually, then open up that first, then use TB! for that server. You see the good people at Ritlabs will not allow you to trust yourself to make a judgment whether you are smart enough to accept certs that have expired on IMAP servers. VŠ Actually this is very good decision. Many users just don't read what's VŠ written on every popup. They press YES YES YES. While I don't use IMAP, this was the most ridiculous reply I've seen on this list for a long while. So, many people press YES YES ES. So what? What if *I* read the messages? Does the email client have to nanny me because your grandmother doesn't read them? You have really insulted the intelligence of the TB users. If some are stupid enough to click YES, that is *their* problem. Why on earth would you forbid *me* to accept an expired certificate, if I so choose? VŠ And why on earth people use a certificate if it is expired? (or self VŠ signed)? That's their decision. Why do they have to answer this question? VŠ It can be very easily compromised and by accepting such VŠ certificate you NEVER know if it comes from your server of from VŠ 3rd person in between. Yes, *can*. Let me be the judge of whether I want to risk my system. Don't protect me from the dangers that might be there for your grandmommy. -- Cheers, Thomas. I wonder how much deeper would the ocean be without sponges. http://thomas.fernandez.hat-gar-keine-homepage.de/ Message reply created with The Bat! 3.99.3 under Windows XP 5.1 Build 2600 Service Pack 2 Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Thomas, Wednesday, May 16, 2007, 4:40:20 AM, you wrote: V� Actually this is very good decision. Many users just don't read what's V� written on every popup. They press YES YES YES. While I don't use IMAP, this was the most ridiculous reply I've seen on this list for a long while. So, many people press YES YES ES. So what? What if *I* read the messages? Does the email client have to nanny me because your grandmother doesn't read them? Does my grandmother have to understand the possible danger of accepting such certificate? I can understand your will to be free and make your own choices, but you seem don't understand that there are thousands of people around the world that uses technology (e.g. TB!) just like a tool. They don't care and should not care about technological details how email works. They just want to send and recieve mail, it's our (admins) job to make it work. And server with expired cert just shows how incompetent the admin is. He don't care about his users. He even not managed to set validity period of certificate for example for 999 years (if I remember the maximum correctly). -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
They just want to send and recieve mail, it's our (admins) job to make it work. And thanks Ritlabs making this job easier! Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: IMAP with TLS
They just want to send and recieve mail, it's our (admins) job to make it work. And thanks Ritlabs making this job easier! Let me rephrase the discussion here: Ritlabs does a good job following the rules, while other email clients are sloppy/let users follow non-standard protocol (in order to get around sloppy admins), right? -- Vili Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Thomas Fernandez wrote: You have really insulted the intelligence of the TB users. If some are stupid enough to click YES, that is *their* problem. Why on earth would you forbid *me* to accept an expired certificate, if I so choose? treat it as an exam question: what is the difference between security and encryption? if you answer correctly, you qualify for such decisions. ;) -- Signed, Vitalie. Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vitalie, On Wed, 16 May 2007 20:59:13 +0300 UTC (5/16/2007, 12:59 PM -0500 UTC my time), vitalie vrabie wrote: You have really insulted the intelligence of the TB users. If some are stupid enough to click YES, that is *their* problem. Why on earth would you forbid *me* to accept an expired certificate, if I so choose? v treat it as an exam question: what is the difference between security v and encryption? A. I can log into any POP server that I am a registered user using the standard port 110. I must authenticate to get into the server to get my mail. B. I can log into any POPS server that I am a registered user using the standard SSL pop port 995 . I must authenticate to get into the server. C. I can log into any IMAP server that I am a registered user using the standard port 143. I must authenticate to get into the server. D. I can log into any IMAPS server that I am a registered user using the standard TLS/SSL port 993. I must authenticate to get into the server. In the case of B and D, what is different from A and C. I still have to authenticate to get into the server. Without this authentication, I cannot get in no matter what. You can stand on your head until doomsday, but I cannot get in. B and D only allows me to send and receive packets securely. Since I still can into the server by authentication using A and C, what difference does it make? Answer:NONE Perhaps this is why every other client gives you the choice of accepting certs. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello all, Wednesday, May 16, 2007, Gary wrote: B and D only allows me to send and receive packets securely. Since I still can into the server by authentication using A and C, what difference does it make? Answer:NONE so do You understand what is difference between authentication and security, or not? Seems not. BTW if B and D allows You secure packets *only*, why You need it? -- Bye Marek Mikus Czech support of The Bat! http://www.thebat.cz Using the best The Bat! 3.99.6 under Windows XP 5.1 Build 2600 Service Pack 2 with MyMacros,XMP,AnotherMacros, NOD32 Antivirus plugin and AntispamSniper v 2.0.1.2 Notebook Toshiba, Core2 Duo 1.83 GHz, 1 GB RAM Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Marek, On Wed, 16 May 2007 21:01:35 +0200 UTC (5/16/2007, 2:01 PM -0500 UTC my time), Marek Mikus wrote: B and D only allows me to send and receive packets securely. Since I still can into the server by authentication using A and C, what difference does it make? Answer:NONE M so do You understand what is difference between authentication and M security, or not? M Seems not. no, not at all. I just make my living at it. You? M BTW if B and D allows You secure packets *only*, why You need it? ding, ding, ding. We have a winner here.. the answer is You don't need it! and .. since you do not need it to get(POP) or see (IMAP) your mail on the server, which can only be done with authentication in the first place, the choice for accepting a cert should be left with the user! POPS and IMAPS are there as a courtesy or benefit, or feature for those that wish to use it, knowing that in the remote case of anyone sniffing the wire, they could not see the data packet streams. I have built many POP/IMAP servers where the customer just wants to utilize the standard port 110/143, and many who want both. Personally, I always suggest using asymmetric encryption for email if it is important or has sensitive personal or business info, e.g. GPG/PGP, even symmetric encryption is okay. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Vili, Wednesday, May 16, 2007, 8:37:00 PM, you wrote: They just want to send and recieve mail, it's our (admins) job to make it work. And thanks Ritlabs making this job easier! Let me rephrase the discussion here: Ritlabs does a good job following the rules, while other email clients are sloppy/let users follow non-standard protocol (in order to get around sloppy admins), right? Yes. As more and more ordinary people (read: not geeks) are using computers, software is changing too. For example IE7 have changed erroneous certificate popup display with this http://www.tekila.lt/public/ie7-ssl.PNG big windows, where computer illiterate in most cases will click on green icon if it is not reading it. It is known that in the future versions IE will block such websites completely. xchat after upgrade to version 2 does not allow you to connect to the IRC server with expired certificate by default either. Yes they are not email clients, and yes they allow you to choose in a difficult way. But I think you can see where it is coming. Sooner or later none of them will allow this. -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 10:24:48 PM, you wrote: M BTW if B and D allows You secure packets *only*, why You need it? ding, ding, ding. We have a winner here.. the answer is You don't need it! and .. since you do not need it to get(POP) or see (IMAP) your mail on the server, which can only be done with authentication in the first place, the choice for accepting a cert should be left with the user! I don't follow the logic here anymore. Since you don't need it, why you are making this a problem of The Bat? -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Wed, 16 May 2007 22:33:53 +0300 UTC (5/16/2007, 2:33 PM -0500 UTC my time), Vilius Šumskas wrote: You don't need it! and .. since you do not need it to get(POP) or see (IMAP) your mail on the server, which can only be done with authentication in the first place, the choice for accepting a cert should be left with the user! V I don't follow the logic here anymore. Since you don't need it, why V you are making this a problem of The Bat? It is a problem in TB! because TB! will not allow the user to accept a cert. It makes that decision for him/her, and that answer is always no, you cannot connect (if the cert is outdated).. It is a problem in that it is a matter of convenience to the user. Where the user can always connect otherwise using a standard connection on 143 (in most cases, depending if the IMAP server is set up that way, or standard POP on 110). To put it another way, if I can connect to a server via POP or IMAP, after I authenticate, why will it not let me connect securely, when I can connect normally. It should be my choice, since I can connect anyway. Does that not makes sense? Regards, -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 5:33:01 PM, you wrote: 4. Every other email client allows the user to choose whether he wishes to accept a cert, any cert for IMAP. I'm a grown up guy, and I can make my own decisions if I want to accept a cert or not. Jumping through hoops to get to an IMAP server, after you used Stunnel a few 1000 times, is just a pain - unnecessary I might add. It is just easier to use another client. And how do you know that first time that you are accepting certificate from a server if it is self-signed? read up on DNS. Have you ever built DNS servers professionally, or maintained at least one? Do you understand how it works. Have you ever built email/IMAP/POP servers professionally, or maintained one or 100s of them? This has nothing to do with DNS. You don't need to redirect user data for this. Simply own a server/router in between, create a certificate and make the server transparent. And yes I built and installed 10s of mail systems on Linux, NetWare and Windows and currently maintaining about 7 of them. All of them have _valid_ CA authority signed not expired certificates. I don't know, maybe I'm just stupid and my clients just wastes money on them, but this is how the thing are done in the part of the world where I'm living in. Maybe in yours invalid certificates are usuall and this is normal. -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 10:43:37 PM, you wrote: Hi Vilius, On Wed, 16 May 2007 22:33:53 +0300 UTC (5/16/2007, 2:33 PM -0500 UTC my time), Vilius Šumskas wrote: You don't need it! and .. since you do not need it to get(POP) or see (IMAP) your mail on the server, which can only be done with authentication in the first place, the choice for accepting a cert should be left with the user! V I don't follow the logic here anymore. Since you don't need it, why V you are making this a problem of The Bat? It is a problem in TB! because TB! will not allow the user to accept a cert. It makes that decision for him/her, and that answer is always no, you cannot connect (if the cert is outdated).. It is a problem in that it is a matter of convenience to the user. Where the user can always connect otherwise using a standard connection on 143 (in most cases, depending if the IMAP server is set up that way, or standard POP on 110). To put it another way, if I can connect to a server via POP or IMAP, after I authenticate, why will it not let me connect securely, when I can connect normally. It should be my choice, since I can connect anyway. Does that not makes sense? Ahh, I see now. But this is actually the problem of the admin. Why do you want to allow users to connect without TLS when you have TLS working? I'm always blocking plaintext connections from outside if there is *valid* TLS mechanism in place. And if there is none, I just don't use it and don't ask myself why TB! doesn't allow me to accept my broken server. -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Wed, 16 May 2007 22:45:36 +0300 UTC (5/16/2007, 2:45 PM -0500 UTC my time), Vilius Šumskas wrote: read up on DNS. Have you ever built DNS servers professionally, or maintained at least one? Do you understand how it works. Have you ever built email/IMAP/POP servers professionally, or maintained one or 100s of them? V This has nothing to do with DNS. It does based on your earlier generalized questions/remarks. V You don't need to redirect user data for this. Simply own a V server/router in between, create a certificate and make the server V transparent. Great, easily done, now how do you get my (or anyone's) password into your fake IMAP server, maybe sitting in the DMZ or in front of that, so I can auth into it? Again, the cert means nothing. we are not talking about e-commerce. I can generate certs all day long. Client must authenticate to get into the server. You don't need a cert to get your mail :) V And yes I built and installed 10s of mail systems on Linux, NetWare and V Windows and currently maintaining about 7 of them. Good, glad to hear it. I gave up NetWare years ago. I stick with *n.x commercially. V All of them have _valid_ CA authority signed not expired certificates. V I don't know, maybe I'm just stupid and my clients just wastes money V on them, but this is how the thing are done in the part of the world V where I'm living in. To some degree here too, but it is far from mandatory unless you are an ISP. Most often, self-issusing certs are done. Obviously if the site runs e-commerce or has a web presence, that cert would be used. V Maybe in yours invalid certificates are usuall and this is normal. It is not the norm, but it does happen, especially to small to medium businesses who run their own mail/IMAP server year after year. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 10:43:37 PM, you wrote: It is a problem in TB! because TB! will not allow the user to accept a cert. It makes that decision for him/her, and that answer is always no, you cannot connect (if the cert is outdated).. But it is very security sensitive decision. Let's say you are competent to make it, let's say I'm, most of IT guys are too. But what about my mom, your little sister, John the plummer Doe from the floor below, a lady with the puddle in the lift :)? Sorry but they are majority and Ritlabs (like any other company) just makes desicions on majority users. -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 11:04:55 PM, you wrote: V You don't need to redirect user data for this. Simply own a V server/router in between, create a certificate and make the server V transparent. Great, easily done, now how do you get my (or anyone's) password into your fake IMAP server, maybe sitting in the DMZ or in front of that, so I can auth into it? You don't. You will authentificate to your real server. But as my router/imap server will be transparent you will never know this. For example on Linux it is done like this: iptables -A PREROUTING -d myserveripfromvictimside -i eth0 -p tcp -m tcp --dport 993 -j RETURN iptables -A PREROUTING -s ! myserveripfromvictimside -i eth0 -p tcp -m tcp --dport 993 -j DNAT --to-destination myserveripfromvictimside:993 That's one of the ideas behind SSL/TLS. If SSL packet header is changed a long the way and doesn't represent certificate key on the remote server, client will inform you. You can see it at hotspots where mail traffic is usually sent through such servers. V And yes I built and installed 10s of mail systems on Linux, NetWare and V Windows and currently maintaining about 7 of them. Good, glad to hear it. I gave up NetWare years ago. I stick with *n.x commercially. V All of them have _valid_ CA authority signed not expired certificates. V I don't know, maybe I'm just stupid and my clients just wastes money V on them, but this is how the thing are done in the part of the world V where I'm living in. To some degree here too, but it is far from mandatory unless you are an ISP. Most often, self-issusing certs are done. Obviously if the site runs e-commerce or has a web presence, that cert would be used. V Maybe in yours invalid certificates are usuall and this is normal. It is not the norm, but it does happen, especially to small to medium businesses who run their own mail/IMAP server year after year. -- Best regards, Viliusmailto:[EMAIL PROTECTED] Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Wed, 16 May 2007 23:19:06 +0300 UTC (5/16/2007, 3:19 PM -0500 UTC my time), Vilius Šumskas wrote: V You don't. You will authentificate to your real server. But as my V router/imap server will be transparent you will never know this. V For example on Linux it is done like this: V iptables -A PREROUTING -d myserveripfromvictimside -i eth0 -p tcp -m tcp --dport 993 -j RETURN V iptables -A PREROUTING -s ! myserveripfromvictimside -i eth0 -p tcp -m V tcp --dport 993 -j DNAT --to-destination myserveripfromvictimside:993 Yes, this can easily be done using Netfilter. There are similar capabilities in Unix (FreeBSD) packet routing. However, it is hardly worth the effort :) Again this is a simple POP/IMAP server, not e-commerce. V That's one of the ideas behind SSL/TLS. If SSL packet header is V changed a long the way and doesn't represent certificate key on the remote V server, client will inform you. You can see it at hotspots where mail traffic V is usually sent through such servers. Of course... this is why, as I mentioned previously, that when using a self-signed cert for a company IMAP server, I issue those certs to the new users as part of their initial instructional package. They install it (most often in their Windows box), case closed :) -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 11:51:06 PM, you wrote: V You don't. You will authentificate to your real server. But as my V router/imap server will be transparent you will never know this. V For example on Linux it is done like this: V iptables -A PREROUTING -d myserveripfromvictimside -i eth0 -p tcp -m tcp --dport 993 -j RETURN V iptables -A PREROUTING -s ! myserveripfromvictimside -i eth0 -p tcp -m V tcp --dport 993 -j DNAT --to-destination myserveripfromvictimside:993 Yes, this can easily be done using Netfilter. There are similar capabilities in Unix (FreeBSD) packet routing. However, it is hardly worth the effort Again this is a simple POP/IMAP server, not e-commerce. You'll be suprised how many people send their banking passwords, social numbers and credit card information through email :) And nobody says that attacker will be interested in your inbox exclusively. Usually they gather thousands of passwords. Ok time to sleep. Good night. -- Best regards, Vilius Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Wed, 16 May 2007 22:56:09 +0300 UTC (5/16/2007, 2:56 PM -0500 UTC my time), Vilius Šumskas wrote: To put it another way, if I can connect to a server via POP or IMAP, after I authenticate, why will it not let me connect securely, when I can connect normally. It should be my choice, since I can connect anyway. Does that not makes sense? V Ahh, I see now. But this is actually the problem of the admin. No, IMO, it is the choice of the customer... I can only tell the customer his options. He has to make that decision. V Why do you want to allow users to connect without TLS when you have TLS V working? real world scenario. some users do not use an email client that has TLS technology. Some do not want to be bothered. V I'm always blocking plaintext connections from outside if there is V *valid* TLS mechanism in place. I usually do the same, but in the end, it is up to the client to decide. Example, most ISPs here in the States, do not all TLS/SSL use for all of their customers, either on SMTP or IMAP/POP amazing. V And if there is none, I just don't use it and don't ask myself why TB! V doesn't allow me to accept my broken server. actual case, 8 years ago, I built an SMTP /IMAP / POP / DNS servers for a business, about 15 people... no big deal... It is set up on 143 and 993... now their own self-issued cert was made for 5 years... it has expired. If they used TB! and wanted TLS/SSL on 993, they could not log in, all of a sudden as the cert expired. If they used any other email client, no problem. It just does not make sense, as they still can use 143, but some want the benefits of SSL, which they have been using all this time. They know the cert is good. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 21:46:34, you wrote: B and D only allows me to send and receive packets securely. Since I still can into the server by authentication using A and C, what difference does it make? Answer:NONE Confidentiality, integrity and availability as the fundamental security characteristics of information. http://en.wikipedia.org/wiki/CIA_Triad http://en.wikipedia.org/wiki/Information_security#Confidentiality.2C_integrity.2C_availability TLS assures confidentiality and integrity of the information. Confidentiality means that nobody in transit (that has access to the data channel) can read your messages while your are retrieving them via TLS. Integrity in email means that nobody in transit can alter your messages, i.e. modify the contents of the messages, inject false messages, remove legitimate messages, etc. while your are retriving them via TLS. So I do not agree that there is no difference between BD and AC. If you are using TLS with expired or otherwise invalid certificates, this means that there is no actually TLS and confidentiality and integrity is no longer assuered, so the malicious person that has access to data channel can read and/or modify the messages while you are retrieving them. -- Best regards, Maxim Masiutinmailto:[EMAIL PROTECTED] Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: IMAP with TLS
Hello Vilius, Wednesday, May 16, 2007, 22:30:08, you wrote: Yes they are not email clients, and yes they allow you to choose in a difficult way. But I think you can see where it is coming. Sooner or later none of them will allow this. Nice news! -- Best regards, Maxim Masiutinmailto:[EMAIL PROTECTED] Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Wed, 16 May 2007 23:08:18 +0300 UTC (5/16/2007, 3:08 PM -0500 UTC my time), Vilius Šumskas wrote: V But it is very security sensitive decision. Let's say you are V competent to make it, let's say I'm, most of IT guys are too. agreed. V But what about my mom, your little sister, John the plummer Doe from V the floor below, a lady with the puddle in the lift :)? Sorry but they V are majority and Ritlabs (like any other company) just makes desicions on V majority users. ah, given your user base above, how many of these people would use IMAP to begin with. I have found that most IMAP users are business people, or professional people, educational/university people, or for a lack of a better term, higher end users, and not just ordinary folks who want to get their mail. In my thinking, most people just want to download their mail :) Or, get it off a web based IMAP server, e.g. Gmail, Yahoo, Hotmail, etc. As you know, Ritlabs started TB! as a terrific POP client. They were correct in determining their user base of POP based email. Some features available for IMAP, including not having the ability to accept a cert by one's own choosing, are available in all other clients, at the very least. IMO, it is not a security issue. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 22:43:37, you wrote: It is a problem in that it is a matter of convenience to the user. Where the user can always connect otherwise using a standard connection on 143 (in most cases, depending if the IMAP server is set up that way, or standard POP on 110). I don't understand why don't you connect with regular (non-TLS) IMAP if the TLS IMAP has an invalid certificate? To put it another way, if I can connect to a server via POP or IMAP, after I authenticate, why will it not let me connect securely, when I can connect normally. It should be my choice, since I can connect anyway. Does that not makes sense? If you have an invalid certificate, than you are not connecting securely, even if you are using TLS. Belive or not, with an invalid certificate, no confidentiality or integrity is assured. So just switch to regular (non-TLS) IMAP and be happy! :-)) -- Best regards, Maxim Masiutinmailto:[EMAIL PROTECTED] Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re[2]: IMAP with TLS
Hello Gary, Wednesday, May 16, 2007, 0:05:04, you wrote: actual case, 8 years ago, I built an SMTP /IMAP / POP / DNS servers for a business, about 15 people... no big deal... It is set up on 143 and 993... now their own self-issued cert was made for 5 years... it has expired. In this case, I will quickly call the system administrator and she will quickly issue the new cert. As written before, unmanaged servers aren't good. -- Best regards, Maxim Masiutinmailto:[EMAIL PROTECTED] Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Maxim, On Thu, 17 May 2007 00:09:16 +0300 UTC (5/16/2007, 4:09 PM -0500 UTC my time), Maxim Masiutin wrote: M TLS assures confidentiality and integrity of the information. M Confidentiality means that nobody in transit (that has access to the M data channel) can read your messages while your are retrieving them via TLS. M Integrity in email means that nobody in transit can alter your messages, M i.e. modify the contents of the messages, inject false messages, remove M legitimate messages, etc. while your are retriving them via TLS. Yes I am aware of that. :) M So I do not agree that there is no difference between BD and AC. There is no difference with respect to the fact that I have to auth into the server either way. M If you are using TLS with expired or otherwise invalid certificates, this M means that there is no actually TLS and confidentiality and integrity is M no longer assuered, so the malicious person that has access to data M channel can read and/or modify the messages while you are retrieving M them. It is not assured on port 110 or 143 either :) The only assurance regarding integrity is to also use DKIM signing, but most importantly PGP/GPG or some asymmetric encryption for confidentiality. Again, it should be up to the user to decide to accept a cert that has expired (even after he has used it for five years) :) I give up ... LOL ... you are not going to change it :) -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Maxim, On Thu, 17 May 2007 00:13:07 +0300 UTC (5/16/2007, 4:13 PM -0500 UTC my time), Maxim Masiutin wrote: It is a problem in that it is a matter of convenience to the user. Where the user can always connect otherwise using a standard connection on 143 (in most cases, depending if the IMAP server is set up that way, or standard POP on 110). M I don't understand why don't you connect with regular (non-TLS) IMAP if M the TLS IMAP has an invalid certificate? in my case, I have one remote server that only runs on 993, not 143. To put it another way, if I can connect to a server via POP or IMAP, after I authenticate, why will it not let me connect securely, when I can connect normally. It should be my choice, since I can connect anyway. Does that not makes sense? M If you have an invalid certificate, than you are not connecting M securely, even if you are using TLS. Belive or not, with an invalid M certificate, no confidentiality or integrity is assured. So just switch M to regular (non-TLS) IMAP and be happy! :-)) can't as above :) I have to use Stunnel to do this currently. -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
Re: IMAP with TLS
Hi Vilius, On Thu, 17 May 2007 00:01:31 +0300 UTC (5/16/2007, 4:01 PM -0500 UTC my time), Vilius Šumskas wrote: V You'll be suprised how many people send their banking passwords, V social numbers and credit card information through email :) hee, hee... no I would not :) also medical information which people send in the clear. V And nobody says that attacker will be interested in your inbox V exclusively. Usually they gather thousands of passwords. yes, very true, and in that case, that size of box, that many users, I would definitely use a CA cert also. V Ok time to sleep. Good night. Good night, now maybe I can get some work done too. :) -- Gary Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html