Date: Tue, 4 Sep 2007 21:25:33 -0700 From: "Ted Mittelstaedt" <tedm@toybox.placo.com> To: "Jim Stapleton" <stapleton.41@gmail.com>, <freebsd-questions@freebsd.org> Subject: RE: questions on setting up a mail server Message-ID: <BMEDLGAENEKCJFGODFOCGEELCAAA.tedm@toybox.placo.com> In-Reply-To: <80f4f2b20709011336h4af41582raee142537f7495b5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Jim Stapleton > Sent: Saturday, September 01, 2007 1:36 PM > To: freebsd-questions@freebsd.org > Subject: questions on setting up a mail server > > > I figured I'd try cyrus, I remember hearing that one is a good mail > server. But I'm new to the mail server thing, and I'm not even sure > where to look for some of this stuff if anyone can help. Also, I plan > on just doing POP3, and only allowing secure connections - if anyone > can reccomend a good, simple server for that, that they think is > better than Cyrus, I won't object. > > My main question is on authentication. I was looking at authentication > types in kmail to get an idea of what I can use, and I found: > Clear text > LOGIN > PLAIN > CRAM-MD5 > Digest-MD5 > NTLM > GSSAPI > APOP > > > I know clear text is not what I want - if I remember, that's > unencrypted. Does TLS/SSL make this a non-issue? What about the other > methdods? Much of this depends on the mail clients that your going to be hitting the server with. The first group does encryption of the password only. The TLS/SSL stuff does encryption of everything - password, mail contents, etc. The TLS stuff requires you put a SSL cert into the client. Most people, not wanting to pay Verisign for this, make their own self-signed certs. There is a large amount of arcane magic to do this, and to get it accepted into Windows, so that an Outlook client will do SSL. You cannot really find recipies out there to do it - but you can pick up bits and pieces here and there and learn a lot about SSL and assemble a recipie. Basically, you want to create a self-signed root certificate, then sign your POP3 mailserver certificate with that, and put the self-signed cert into the root store in Windows. Not only can you sign your pop3 certs with this, you can sign your www, imap, pop3, smtp, etc. etc. etc. certificates with your root CA and then you won't get bitching from your windows clients. The first group is a different story. If you want to get Outlook to work with that, you can only use NTLM. The developers of all of the various packages dislike NTLM so they force you to use arcane makefile options and such to build your system so that it will support NTLM. Eudora, by contrast, supports only APOP and Netscape mail only supports CRAM-MD5 and as I recall bugs in the clients basically make it impossible for a server that supports all these encryption types to work with all clients. The honest to god truth of the matter is that encrypting your POP3 and SMTP auth passwords is difficult to do on a large scale no matter what road you pick to do it, so there is really not a lot of point to doing it unless your in a rather limited environment. I would definitely not bother in a corporate environment where you have maybe a handful of road warriors that would be on sniffable networks - just make sure their pop3 login and password isn't the same as their network login ID and password and the worst a cracker can do is steal their mail. whop de do. Chances are far more likely their laptops will be busted into by a robot loaded on the laptop that sniffs keystrokes. By contrast in a creaky old college network with a bunch of dumb network hubs and a couple dormotories full of jerkoffs looking to prove they are hackers, you probably would want to encrypt it via SSL. Ted
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BMEDLGAENEKCJFGODFOCGEELCAAA.tedm>