BBC 'vague' reporting again!

Ian Batten ukcrypto at chiark.greenend.org.uk
Thu, 4 Dec 2008 07:06:39 +0000 

On 4 Dec 2008, at 05:00, Roland Perry wrote:

> In article <20081203171238.321ab6be@peterson.fenrir.org.uk>, Brian  
> Morrison <bdm@fenrir.org.uk> writes
>>> In theory I can exchange email with my office (aka home) on an ssh
>>> tunnel and therefore have no ISP servers, or external unencrypted
>>> traffic, involved at all. But it's all a bit too fiddly.
>>
>> It is? Surely it just happens automagically with very little
>> configuration by simply ticking SSL and TLS modes in all the software
>> that has them?
>
> I don't have such options on either my email client or email server.

Although it's becoming increasing common.   Most vendors now ship  
sendmail, for example, with all the TLS stuff compiled in, and even a  
self-signed certificate (and perhaps not even that in recent versions)  
is sufficient for opportunistic encryption, albeit with a lot of  
caveats as to what it's actually offering.   Any client or server  
connecting in to pass mail to such a server will be offered STARTTLS.   
The same goes for most of the major IMAP servers: they might offer  
imaps, but they'll almost certainly offer STARTTLS.

Most of the mainstream clients now support TLS --- what are you using?  
--- and some will take it if it's going, unasked.    So if you point  
Apple Mail or even the iPhone mail client at a server that offers IMAP 
+TLS and/or SMTP+TLS, they'll probably take it unbidden, or if not  
it's simply a matter of checking the tickbox.  The iPhone client is a  
little pickier about certificates and will make a bit more of a fuss  
about a self-signed one, though.

The story isn't complete.  I don't know of a vendor which ships  
sendmail/etc with SASL2 support compiled in, which makes integration  
of an smtp server and an imap server a little trickier.    If you're  
doing remote mail submission it's pretty irresponsible not to use SMTP  
authentication, so this is a bit of an omission.

Even if you compile it all yourself, if you're doing privilege  
separation most of the solutions hit problems if you want both your  
SMTP and IMAP processing to run with standard, disjoint user  
privileges but you also want to have a single authentication back  
end.  batten.eu.org's solution is to run a MySQL database lashed  
together behind both sendmail and cyrus, for all of the huge number of  
users it supports:, not because I need a database but because it's the  
only way I could see which didn't involve either having the  
authentication database in mode 777 or having cyrus and sendmail share  
a group.   As things stand, there's a mysql authentication username/ 
password en clair in the config files for both applications, which is  
hardly a step forward.

ian

> mysql> select count(*) from users;
> +----------+
> | count(*) |
> +----------+
> |       10 |
> +----------+
> 1 row in set (0.00 sec)
>
> mysql>
>