On Thu, Jul 27, 2000 at 03:43:59PM -0400, Dave C. wrote:
> I wouldnt bother. The odds of someone who wants to spam through your
> server, having access to sniff network traffic, and having the time and
> inclination to site there for days watching for passwords in the
> terabytes of traffic passing through, multiplied by the amount of
> damage they could do with one password, multiplied by the trouble it
> would take to change the password they managed to sniff...........
I'd agree here, but as I mentionned, those password are the main user
passwords, they can be used to get a shell login.
I do not care as much about spam relaying as someone sniffing a password and
using it to log into my network :-)
> Do you allow them to use POP from outside your network? Have you
Not for much longer. IMAP/SSL is there (as is POP/SSL) and plain POP will go
away real soon
> implented a working SSL solution there too? If not, then you already
> have passwords passing in direct plain text (not even BASE64 encoded)..
Actually netscape and WUPOP do BASE64 encode the pop login sequence.
> IMNSHO, SSL for SMTP relay (at least until the protocols are set in
> stone, and evey possible mail client implements them, correctly, and in
> a compatible manner), is simply not worth the hassle.
I thought about just using one master password to allow any user to relay
through the mail server with that password, but I believe netscape doesn't
let you specify one password for imap and a different one for SMTP AUTH,
thus I'm stuck with using user passwords, and I don't want those travelling
in plaintext :-)
> > I've found on the web that recent netscapes don't talk to the ssmtp port
> > (although I can force them to do so by specifying mailserver:465) but just
> > in case, I have stunnel listening on both ports:
> > root 4886 0.0 0.0 2588 1440 ? S 01:05 0:00 /usr/sbin/stunnel -p /etc/ssl/certs/stunnel.pem -d smtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs
> > root 4888 0.0 0.0 2432 1292 ? S 01:05 0:00 /usr/sbin/stunnel -p /etc/ssl/certs/stunnel.pem -d ssmtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs
In the meantime (after yet more searching), I found the well hidden solution
I was looking for:
/usr/local/bin/stunnel-3.8p4 -p /etc/ssl/certs/stunnel.pem -d ssmtp -P /var/run/stunnel.ssmtp.pid -n smtp -l /usr/sbin/exim -- exim -C /etc/exim-ssl.conf -bs
(the key is a more recent stunnel than what ships with debian, be it potato
or woody, sigh...)
It's still not perfect since exim loses the remote IP info when it's
launched by a wrapper, but it's better than nothing.
Hopefully, TLS support will be added in for good, just like in postfix and
sendmail.
Thanks,
Marc
--
Microsoft is to software what McDonalds is to gourmet cooking
Home page:
http://marc.merlins.org/ (friendly to non IE browsers)
Finger marc_f@??? for PGP key and other contact information