[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the uw-imap maintainer

On Tue, Oct 15, 2002 at 11:12:29PM -0400, Jaldhar H. Vyas wrote:
> Now we have crypto in main, these packages will have SSL/TLS support.
> The -ssl versions of these packages are just going to be dummies that will
> upgrade you to the packages listed above which will ask you via debconf
> which protocols you want to enable.

> Following the upstream practice which is based on an IESG recommendation,
> plaintext logins will be disabled on non-SSL/TLS connections.  If you
> absolutely don't want to use SSL or TLS for some reason, your only
> alternatives are to use CRAM-MD5 (See /usr/share/doc/libc-client2002/md5.txt)
> or Kerberos or to recompile the package.

Recommended or not, this is a substantial change that will break a lot
of clients of existing systems.  There *are* still POP clients in use
that support neither SASL nor SSL.  Likewise, a client that refused to
negotiate plaintext would fail with some servers.  Is it possible to
re-enable plaintext logins at runtime, or is this setting hard-coded
into the binaries?

Since most SSL-enabled POP servers don't have a certificate issued by a
recognized CA, tunneling plaintext passwords over SSL provides only
minimal protection against a dedicated attacker compared to sending
plaintext passwords in the clear.

> * I would like some people to document how to set up up TLS or SSL in popular
>   IMAP clients (in particular: Outlook, Outlook Express, KMail, Mozilla Mail,
>   fetchmail, and Mutt.)  I will include this indormation in a FAQ.

You've notably omitted Eudora and Pegasus from this list.

Steve Langasek
postmodern programmer

Attachment: pgpSfZMfyP0t8.pgp
Description: PGP signature

Reply to: