[TCLUG] STARTTLS vs IMAP SSL

Thu Mar 25 21:54:41 CST 2004

On Thu, 25 Mar 2004 20:49:31 -0600
"David Phillips" <david at acz.org> wrote:

> Josh Trutwin writes:
> > The MTA is qmail, I've found this to be what looks like the most
> > maintained patch for STARTTLS SMTP: http://inoa.net/qmail-tls/
> 
> Don't use that.  See my last post about security.  Compile something
> insecure like OpenSSL into qmail and you'll make it as secure as
> Sendmail.

That was my exact concern.  I hate all these qmail patches floating around.  Some seem like misguided science projects and don't ever get updated.  I'm glad the qmail community has started the netqmail distribution with only the patches recommended by the gurus.  (Cazabon, Sill, etc.)

> Using stunnel or sslserver (both use OpenSSL) is much better than
> compiling SSL into qmail.  sslserver might work better as it has all
> the tcpserver features.  That method will work fine with Outlook
> Express.

By sslserver you mean ucspi-ssl right?  I have this doing my pop3s already.  For any of this stuff I like to compile openssl from source that way the minute a security vulnerability is found I don't have to wait for distros.

> > Anyone have any
> > suggestions for STARTTLS and qmail?
> 
> Until Dan Bernstein writes an SSL implemenation, don't do it.

:)  I know a lot of people want him to do this, don't think it's on his list though.  I think he's being pressed to write an ssh client/server too. 

> > I'm currently in the works on a huge html
> > document to describe step-by-step how to setup the above with
> > qmail. I'll share with the list when I'm done.
> 
> There are several of those out there already.  Make sure you follow
> the"Life with qmail" method, post it to the qmail mailing list and
> you might get some good feedback.

It's mainly for my own use, I realize that there are tons of qmail toaster docs out there, but with the dozens (literally) of pieces that it takes to make a full fledged email system, my sticky notes are just not cutting it.  :)  If it happens to help someone else gain insight, well, all the better.  As far as LWQ, I definately follow it to the tee, it's a no-miss guaruntee to setup a secure closed relay qmail system.  I actually bought Sill's book, The Qmail Handbook, which is LWQ and then some.  Good stuff.  I guess there's now an O'Reilly book out as well: http://qmail.gurus.com

> > Lastly, am I correct in assuming that ESMTP is the same as SMTP
> > AUTH?
> 
> No.  ESMTP is a string used by an SMTP server's initial greeting
> that indicates it supports SMTP Service Extensions (i.e. it supports
> EHLO).  SMTP AUTH is only one extension.
> 
> http://cr.yp.to/smtp/greeting.html
> http://www.ietf.org/rfc/rfc1869.txt

Ok, thanks for the clarification.  As far as your other post about BincIMAP goes, I did download it, started the installation process, then just kind of fizzled.  I'm hoping to move my home server to Binc and try it out for a while.  I haven't had any problems with Courier until this last version came out.  My IMAP requirements are:

1.) Needs to support IMAP before SMTP relaying using relay-ctrl
2.) Needs to support IMAPS / STARTTLS or use sslserver
3.) Needs to support authenticating from vmailmgr, mysql, PAM
4.) Needs to work well with Squirrelmail and/or Horde/IMP

Thanks,

Josh

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list