"Dave C." <djc@???> probably said:
> As far as using TLS with SMTP auth, why bother? Spammers do NOT sit
> sniffing SMTP sessions to try and catch username and password pairs to
> send spam (and where would they sniff from anyway?) - that would be way
> too much work - there are still plenty of open SMTP servers out there,
> despite MAPS/RSS/ORBS/etc best efforts. And if some rogue employee at a
> backbone network wanted to try and break into your site (unlikely) by
> sniffing for SMTP AUTH passwords, they would have to wade through
> gigbytes of traffic looking. Poeple just dont do that.
Wade through traffic ? Get thee a copy of dsniff. One machine gets
cracked, drop a password sniffer on it ... instant database of
hundreds of passwords on a busy network.
Why said anything about spammers ? People use the same or similar
passwords for many things/machines. Get one password in the clear and
get login access to machine X, from there get to machine Y ...
Today alone I've seen one person here wanting to do SMTP auth
from the login password on a machine.
Passwords in the clear, _whatever_ they are for, is bad.
> And if you or your clients are transmitting sensitive/confidential
> information, you really should be using something like PGP to provide
> origin-to-destination security. Encrypting the SMTP session, unless you
> also encrypt your mail spool, just gives a false sense of security.
I disagree, strongly.
I have a machine at work with an interface that gets _every_ packet in
and out of the university for doing bandwidth monitoring, running
snort and such. mailsnarf on that machine with a couple of regexps ...
unfortunately not everyone is as ethical as me. Cracking a machine
on the same subnet as a mailserver and arpspoof the switch would
give similar results.
Anything that can reasonably be encrypted should be. TLS makes
encrypted SMTP trivial, no reason _not_ to use it. Yes, if you are
paranoid you should still be using PGP for mail, but this doesn't mean
TLS is pointless. I +like+ my mail being encrypted where it can be.
P.
--
pir pir-sig@??? pir-sig@???