On Wednesday, November 14 at 11:51 AM, quoth Ed W:
Is TLS always performed BEFORE auth with generally available POP/IMAP clients?
Yes, because that's generally the entire point of using encryption. After all, what's more important: encrypting your username/password before transmitting it over an open wire, or encrypting your email messages before transmitting them over an open wire? (Hint: if you need your email encrypted, use PGP.)
Technically, there's nothing in the IMAP spec that forbids doing it the other way around, however many IMAP servers (including Dovecot) typically reject unencrypted authentication attempts.
Random idea but if there were some way to identify the client BEFORE presenting the certificate then it would be possible to present one of a number of certificates depending on the incoming client....
Of course, but unfortunately, there's very little. The only thing the server can reliably know is the client's IP address and source TCP port (and it's own IP address). Not much to go on.
(don't fancy scraping SMTP server log files and matching back to IP addresses though...)
HEH. SMTP-before-IMAP? What a bizarre concept. :) You'd just be transferring the problem: how does the SMTP server know what certificate to use?
~Kyle
You can gain reconciliation from your enemies, but you can only gain peace from yourself. -- Rubin "The Hurricane" Carter