On Fri, 12 Oct 2001 07:40:33 -0500, Jeffrey Ollie wrote:
>On Fri, Oct 12, 2001 at 12:12:13AM -0400, Richard Welty wrote:
>>
>> really. from a security point of view, SMTP over TLS is fairly lame,
>> for any number of reasons that are not easily dealt with. if it's
>> that important to you, look at PGP or S/MIME solutions.
>
>SMTP over TLS is VERY useful in situations where you can't use
>CRAM-MD5 for authentication. Just because SMTP over TLS has
>limitations doesn't mean it isn't useful, as long as you are aware of
>the limitations.
i don't disagree, but the original writer seemed more interested in
larger security issues. perhaps i was mistaken...
i normally tunnel smtp over ssh from my client system to my outbound
mail relay and do all my transactions that way. i've used IPSec for
similar purposes in the past, as well.
the concern is always that folks who don't have backgrounds in
security may not understand all the things that SMTP over TLS doesn't
do/can't do.