Re: IMAP über SSL: Passwort trotzdem im Klartext?
Bernhard Schwartz <weichei@email-ausdrucker.de> writes:
> Hi,
>
> ich habe mal eine vielleicht etwas blöde Frage. Ich habe auf einem Server
> Courier-IMAP-SSL installiert, aber um CRAM-MD5 zum laufen zu kriegen, muss
> man ja noch so einiges konfigurieren. Denn für CRAM-MD5 muss Courier ja das
> Klartext-Passwort kennen.
>
> Jetzt die Fragen: Wird bei SSL/TLS mit IMAP das Passwort im Klartext
> übertragen und nur der Mailtransport selbst verschlüsselt (dann wäre CRAM-MD5
> ja auf jeden Fall noch notwendig), oder kann ich mir das sparen, wenn ich
> SSL/TLS benutze?
s.u. Punkt 3.1
> Was ist "besser": SSL oder TLS?
s.u. Punkt 1
> Danke,
> Bernhard
Aus RFC 2595:
--------------------------------------------------------------------------------
1. Motivation
The TLS protocol (formerly known as SSL) provides a way to secure an
application protocol from tampering and eavesdropping.
...
3.1. STARTTLS Command
Arguments: none
Responses: no specific responses for this command
Result: OK - begin TLS negotiation
BAD - command unknown or arguments invalid
A TLS negotiation begins immediately after the CRLF at the end of
the tagged OK response from the server. Once a client issues a
STARTTLS command, it MUST NOT issue further commands until a
server response is seen and the TLS negotiation is complete.
The STARTTLS command is only valid in non-authenticated state.
The server remains in non-authenticated state, even if client
credentials are supplied during the TLS negotiation. The SASL
[SASL] EXTERNAL mechanism MAY be used to authenticate once TLS
client credentials are successfully exchanged, but servers
supporting the STARTTLS command are not required to support the
EXTERNAL mechanism.
Once TLS has been started, the client MUST discard cached
information about server capabilities and SHOULD re-issue the
CAPABILITY command. This is necessary to protect against
man-in-the-middle attacks which alter the capabilities list prior
to STARTTLS. The server MAY advertise different capabilities
after STARTTLS.
The formal syntax for IMAP is amended as follows:
command_any =/ "STARTTLS"
Example: C: a001 CAPABILITY
S: * CAPABILITY IMAP4rev1 STARTTLS LOGINDISABLED
S: a001 OK CAPABILITY completed
C: a002 STARTTLS
S: a002 OK Begin TLS negotiation now
<TLS negotiation, further commands are under TLS layer>
C: a003 CAPABILITY
S: * CAPABILITY IMAP4rev1 AUTH=EXTERNAL
S: a003 OK CAPABILITY completed
C: a004 LOGIN joe password
S: a004 OK LOGIN completed
--------------------------------------------------------------------------------
Mit anderen Worten, unter TLS wird die Authentifizierung verschlüsselt
durchgeführt. Die Verwendung von plain/login ist also 'sicher'.
Gruss, Bruno.
Reply to: