On Sun, 22 Sep 2002 20:25:07 -0400 (EDT) Kurt Lieber <exim@???> wrote:
> Anyone know of a similar solution for a Exim?
no, and actually, i'm a little horrified by the concept.
the problem is that you are now doing authentication on the server when
it's the user of the client that's supposed to be authenticated (i'm
assuming that this is pgp/gpg or s/mime style authentication & encryption
that is at issue.)
you are also skipping a hop for encryption.
"but we'll be behind a firewall".
many security threats are internal. most people aren't nearly paranoid
enough. moving this functionality to the server creates a wonderful
opportunity for a hacker who is inside -- either due to hacking, or bad
vetting when employed, or other possibilities. maybe he's an industrial
spy and he got a job working for the janitorial services firm that your
CFO hired (do you know who is emptying your wastebaskets or looking at the
postit with your passwords that you leave on your monitor? this sort of
stuff has been done. anyway, he gets onto your network and sniffs all
this stuff you think is encrypted, or even injects stuff which your
server cheerfully labels authenticated.
richard
--
Richard Welty
rwelty@??? Averill Park Networking
rwelty@??? Unix, Linux, IP Network Engineering, Security
rwelty@??? 518-573-7592
