From owner-freebsd-questions Sun Jan 21 20:18:13 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 8D05B37B401 for ; Sun, 21 Jan 2001 20:17:55 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 21 Jan 2001 20:16:08 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.0) id f0M4HpG68819; Sun, 21 Jan 2001 20:17:51 -0800 (PST) (envelope-from cjc) Date: Sun, 21 Jan 2001 20:17:51 -0800 From: "Crist J. Clark" To: Arcady Genkin Cc: freebsd-questions@freebsd.org Subject: Re: imap and pop3 via stunnel (was: UW-IMAP server and secure authentication) Message-ID: <20010121201750.D10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <87hf2s4hb7.fsf@tea.thpoon.com> <20010121154230.Z10761@rfx-216-196-73-168.users.reflex> <87g0ic4ax7.fsf_-_@tea.thpoon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <87g0ic4ax7.fsf_-_@tea.thpoon.com>; from antipode@thpoon.com on Sun, Jan 21, 2001 at 08:45:24PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 21, 2001 at 08:45:24PM -0500, Arcady Genkin wrote: > "Crist J. Clark" writes: > > > I don't see why you can't use a self-signed cert. Provided you > > distribute it securely (relative to what you are protecting and other > > security measures), it is a fairly good solution. > > I basically want to disable any ways of connecting to my computer with > user names/passwords sent in clear text. What do you mean by > "distribute it securely"? When you establish an SSL connection with someone new, you are supposed to be able to trust that their cert is valid because it is signed by a trusted third party. Something like a web browser comes with certain signatures built in (people like VeriSign). You are self-signing your certs. There is no trusted third party to check the cert. You are vulnerable to a man-in-the-middle attack the first time you connect. There is no way for your computer to know if the machine offering the cert at the other end is really who it claims to be. Now if you are connecting across your local network and are not concerned about someone doing such attacks, its not a big deal. Someone establishing a connection over the Internet... well, such an attack is not very probable but very possible. > > I have never used SSL within UW IMAP. However, I set up a mailserver > > which used stunnel (in the ports) to get SSL access to UW IMAP. Making > > a self-signed cert with stunnel was painless and a reasonable solution > > for that organization. > > This is great! I just installed stunnel and had imapd and ipop3d > working with it in no time. I'm using the scurity certificate > generated by "make cert". Thanks a lot, Christ! Yep. stunnel makes it pretty easy. > > Almost all of the users were using M$ Outlook Express as a MUA. A > > few Netscape Messenger users. Neither had an problems. > > I just had a MS Outlook Express user confirm successful POP3 retrieval > over SSL. I'm happy. The only thing that's bothering me is your > phrase about distributing the certificate: I did not send the user > anything, he was just able to connect by changing mail server > configuration in his mailer. Was the connection secure in this case? Hmmm... Are you sure that he used SSL? I mean Outlook Express security leaves much to be desired, but it does not make noise if it gets a self-signed cert? Scary. An SSL session is secure with respect to sniffing since it is encrypted, but it would be vulnerable to the attack described above. If the user did get the real thing, they should be secure... as secure as OE will let them be, from now on. If I sound paranoid about this, it's because that's what I get paid to do. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message