On Tue, Oct 15, 2002 at 11:12:29PM -0400, Jaldhar H. Vyas wrote: > Now we have crypto in main, these packages will have SSL/TLS support. > The -ssl versions of these packages are just going to be dummies that will > upgrade you to the packages listed above which will ask you via debconf > which protocols you want to enable. > Following the upstream practice which is based on an IESG recommendation, > plaintext logins will be disabled on non-SSL/TLS connections. If you > absolutely don't want to use SSL or TLS for some reason, your only > alternatives are to use CRAM-MD5 (See /usr/share/doc/libc-client2002/md5.txt) > or Kerberos or to recompile the package. Recommended or not, this is a substantial change that will break a lot of clients of existing systems. There *are* still POP clients in use that support neither SASL nor SSL. Likewise, a client that refused to negotiate plaintext would fail with some servers. Is it possible to re-enable plaintext logins at runtime, or is this setting hard-coded into the binaries? Since most SSL-enabled POP servers don't have a certificate issued by a recognized CA, tunneling plaintext passwords over SSL provides only minimal protection against a dedicated attacker compared to sending plaintext passwords in the clear. > * I would like some people to document how to set up up TLS or SSL in popular > IMAP clients (in particular: Outlook, Outlook Express, KMail, Mozilla Mail, > fetchmail, and Mutt.) I will include this indormation in a FAQ. You've notably omitted Eudora and Pegasus from this list. Steve Langasek postmodern programmer
Attachment:
pgpSfZMfyP0t8.pgp
Description: PGP signature