-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Richard,
On 2009-09-03 16:38, Richard Hobbs wrote:
Currently, on our new test server, I am offering IMAP on 143 and POP3 on 110.
We would like to enable security on both of these protocols to attempt to eliminate the risk from an internal password-grabbing/content-grabbing attack.
I presume this would mean enabling SSL, and a more securure authentication, right? Or are plain text passwords just sent over the SSL, and therefore perfectly secure?
Yes, plain text passwords are fine with SSL/TLS, since the connection gets secured before the password is sent.
Also, what are the steps to enable security for these protocols on an already-configured server?
Is it possible to offer encrypted and non-encrypted services simultaneously, so people have a choice of whether they want security or not? I know that's a bit weird, but for testing it would be useful.
No problem. Basically you just need to specify the certificate (ssl_cert_file) and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to 'protocols'.
Finally, is there a way to monitor which users are connecting over the secure ports and which users are connecting over the non-secure ports?
You can see it in the log.
Patrick.
STAR Software (Shanghai) Co., Ltd. http://www.star-group.net/ Phone: +86 (21) 3462 7688 x 826 Fax: +86 (21) 3462 7779
PGP key: E883A005 https://stshacom1.star-china.net/keys/patrick_nagel.asc Fingerprint: E09A D65E 855F B334 E5C3 5386 EF23 20FC E883 A005 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkqfhoIACgkQ7yMg/OiDoAWzuQCfSpkZn7AXpsSbh3dVLPtsYQBr PL0An22lbqUY/MCGca8Q+RXOhojvfcf9 =wKmX -----END PGP SIGNATURE-----