Hello Gary, Wednesday, May 16, 2007, 11:04:55 PM, you wrote:
V>> You don't need to "redirect" user data for this. Simply own a V>> server/router in between, create a certificate and make the server V>> transparent. > Great, easily done, now how do you get my (or anyone's) password into your > fake IMAP server, maybe sitting in the DMZ or in front of that, so I can > auth into it? You don't. You will authentificate to your real server. But as my router/imap server will be transparent you will never know this. For example on Linux it is done like this: iptables -A PREROUTING -d <myserveripfromvictimside> -i eth0 -p tcp -m tcp --dport 993 -j RETURN iptables -A PREROUTING -s ! <myserveripfromvictimside> -i eth0 -p tcp -m tcp --dport 993 -j DNAT --to-destination <myserveripfromvictimside>:993 That's one of the ideas behind SSL/TLS. If SSL packet header is changed a long the way and doesn't represent certificate key on the remote server, client will inform you. You can see it at hotspots where mail traffic is usually sent through such servers. V>> And yes I built and installed 10s of mail systems on Linux, NetWare and V>> Windows and currently maintaining about 7 of them. > Good, glad to hear it. I gave up NetWare years ago. I stick with *n.x > commercially. V>> All of them have _valid_ CA authority signed not expired certificates. V>> I don't know, maybe I'm just stupid and my clients just wastes money V>> on them, but this is how the thing are done in the part of the world V>> where I'm living in. > To some degree here too, but it is far from mandatory unless you are an ISP. > Most often, self-issusing certs are done. Obviously if the site runs > e-commerce or has a web presence, that cert would be used. V>> Maybe in yours invalid certificates are usuall and this is normal. > It is not the norm, but it does happen, especially to small to medium > businesses who run their own mail/IMAP server year after year. -- Best regards, Vilius mailto:[EMAIL PROTECTED] ________________________________________________________ Current beta is 3.99.06 | 'Using TBBETA' information: http://www.silverstones.com/thebat/TBUDLInfo.html
