> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jim Stapleton
> Sent: Saturday, September 01, 2007 1:36 PM
> To: freebsd-questions@freebsd.org
> Subject: questions on setting up a mail server
>
>
> I figured I'd try cyrus, I remember hearing that one is a good mail
> server. But I'm new to the mail server thing, and I'm not even sure
> where to look for some of this stuff if anyone can help. Also, I plan
> on just doing POP3, and only allowing secure connections - if anyone
> can reccomend a good, simple server for that, that they think is
> better than Cyrus, I won't object.
>
> My main question is on authentication. I was looking at authentication
> types in kmail to get an idea of what I can use, and I found:
> Clear text
> LOGIN
> PLAIN
> CRAM-MD5
> Digest-MD5
> NTLM
> GSSAPI
> APOP
>
>
> I know clear text is not what I want - if I remember, that's
> unencrypted. Does TLS/SSL make this a non-issue? What about the other
> methdods?

Much of this depends on the mail clients that your going to be
hitting the server with.

The first group does encryption of the password only.

The TLS/SSL stuff does encryption of everything - password, mail contents,
etc.

The TLS stuff requires you put a SSL cert into the client.  Most people,
not wanting to pay Verisign for this, make their own self-signed certs.
There is a large amount of arcane magic to do this, and to get it accepted
into Windows, so that an Outlook client will do SSL.  You cannot really find
recipies out there to do it - but you can pick up bits and pieces here and
there and learn a lot about SSL and assemble a recipie.  Basically, you
want to create a self-signed root certificate, then sign your POP3
mailserver
certificate with that, and put the self-signed cert into the root store in
Windows.  Not only can you sign your pop3 certs with this, you can sign
your www, imap, pop3, smtp, etc. etc. etc. certificates with your root CA
and then you won't get bitching from your windows clients.

The first group is a different story.  If you want to get Outlook to
work with that, you can only use NTLM.  The developers of all of the
various packages dislike NTLM so they force you to use arcane makefile
options and such to build your system so that it will support NTLM.
Eudora, by contrast, supports only APOP and Netscape mail only supports
CRAM-MD5 and as I recall bugs in the clients basically make it
impossible for a server that supports all these encryption types to
work with all clients.

The honest to god truth of the matter is that encrypting your POP3
and SMTP auth passwords is difficult to do on a large scale no matter
what road you pick to do it, so there is really not a lot of point to
doing it unless your in a rather limited environment.  I would definitely
not bother in a corporate environment where you have maybe a handful of
road warriors that would be on sniffable networks - just make sure their
pop3 login and password isn't the same as their network login ID and
password and the worst a cracker can do is steal their mail.  whop
de do.  Chances are far more likely their laptops will be busted into
by a robot loaded on the laptop that sniffs keystrokes.  By contrast in
a creaky old college network with a bunch of dumb network hubs and a
couple dormotories full of jerkoffs looking to prove they are
hackers, you probably would want to encrypt it via SSL.

Ted

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to