[Dovecot] SSL/TLS with Outlook client

Kyle Wheeler kyle-dovecot at memoryhole.net
Wed Nov 14 20:29:30 EET 2007


On Wednesday, November 14 at 11:51 AM, quoth Ed W:
> Is TLS always performed BEFORE auth with generally available POP/IMAP 
> clients?

Yes, because that's generally the entire point of using encryption. 
After all, what's more important: encrypting your username/password 
before transmitting it over an open wire, or encrypting your email 
messages before transmitting them over an open wire? (Hint: if you 
need your email encrypted, use PGP.)

Technically, there's nothing in the IMAP spec that forbids doing it 
the other way around, however many IMAP servers (including Dovecot) 
typically reject unencrypted authentication attempts.

> Random idea but if there were some way to identify the client BEFORE 
> presenting the certificate then it would be possible to present one 
> of a number of certificates depending on the incoming client.... 

Of course, but unfortunately, there's very little. The only thing the 
server can reliably know is the client's IP address and source TCP 
port (and it's own IP address). Not much to go on.

> (don't fancy scraping SMTP server log files and matching back to IP 
> addresses though...)

HEH. SMTP-before-IMAP? What a bizarre concept. :) You'd just be 
transferring the problem: how does the SMTP server know what 
certificate to use?

~Kyle
-- 
You can gain reconciliation from your enemies, but you can only gain 
peace from yourself.
                                        -- Rubin "The Hurricane" Carter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20071114/b7712238/attachment.bin 


More information about the dovecot mailing list