Re: [Exim] Feature Request - security

Pàgina inicial
Delete this message
Reply to this message
Autor: Yann Golanski
Data:  
A: Karl Schmidt
CC: exim-users
Assumpte: Re: [Exim] Feature Request - security
On Wed, May 16, 2001 at 02:05:02PM -0500, Karl Schmidt quothed:
> > Why not use SSL and ETRN? It seems to me that this would work pretty
> > much in tehsame way as you describe. Of course, you could install IPSec
> > on your gateway and make it use that to encrypt all connections to
> > the external mail server.
>
> [KPS] I have looked at that - It is a step in the right direction having the
> connection initiated on the private network end. Fetchmail is supposed to
> support ssh also (for some reason I haven't gotten ssh to work with
> fetchmail yet). I may use ETRN. I think ETRN is really aimed at
> intermittently connected servers. I've not seen anything that suggests it
> would support a continuous connection.


You seem to be confused about what TERN is and does. It doesn't matter
if your host is connecte or not. All it does is to pull mail, which is
the same thing that fetchmail does.

> IPSec or a port forwarding scheme could work, but it seems this should be
> part of Exim to me. Even if this only works between Exim MTAs it would be a
> great feature. Securely in tying the public and private mail servers
> together is a common problem.


No it should not be. Exim does provide SSL connections and that's all it
should do. IPSec works on the TCP/IP level and has NOTHING to do with
email.

In fact, a host that uses IPSec and SESMTP will encrypt the mail twice.

> It just seems a pity to defeat the beauty of the way Exim works - no
> batching. To have a ssh connection open all the time so when the mail,
> comes it moves at once.


That's an insane setup.

If what you want is encrypted trafic between your external mail server
and your internal one there are two options: Use IPSec or SESMTP! Both
those work fine with Exim and provide good security -- as long as the
underlying algorithms have not been broken.

-- 
                         www.kierun.org
Yann@???                                Use Pretty Good Privacy.