Date: Sun, 14 Jul 2002 09:36:00 +0200 From: Bernd Walter <ticso@cicely5.cicely.de> To: Terry Lambert <tlambert2@mindspring.com> Cc: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>, freebsd-arch@FreeBSD.ORG Subject: Re: Mail subsystem defaults, adding authentication. Message-ID: <20020714073559.GY63545@cicely5.cicely.de> In-Reply-To: <3D30C4DA.22A255A8@mindspring.com> References: <20020713034725.GB47677@ussenterprise.ufp.org> <3D2FAFB2.E2E9CF36@mindspring.com> <20020713045704.GA49379@ussenterprise.ufp.org> <3D300FD4.7479A8E5@mindspring.com> <15664.47827.844708.151118@monkeyboy.gshapiro.net> <3D30C4DA.22A255A8@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 13, 2002 at 05:24:59PM -0700, Terry Lambert wrote: > > You can (and should) use STARTTLS with SMTP AUTH PLAIN/LOGIN and do not > > (and should not) use SMTP over SSL as it is non-standard. > > IMO, this is broken. Here's why: Implementation of SSL in the > kernel is a foregone conclusion. It is a matter of "when", not > "if", due to work like that of Sam Leffler's recent porting of > the OpenBSD crypto hardware interface framework to FreeBSD. > > Basically, asking for conversion of a socket from one type to > another is not something that will necessarily be supportable. With SSL you still do a normal socket connect anyway and than call SSL_connect/accept on the already existing connection. What's the matter with exchanging packets before doing that? Does that mean that the SSL API changes? > The whole "STARTTLS" thing was introduced to kludge around the > lack of IPSEC support in IPv4. Even if you argue that it's an > issue for IPv4 because IPSEC bloats the hell out of IPv4 even > when it's not being used, IPv6 requires implementation of IPSEC > for it to be called an IPv6 implementation. > > This means that the days of transport crypto decisions like > this one, and the code to implement it, living in user space > are numbered, no matter what. I'm not a cryptographic expert, but I wouldn't prefer a packet encryption over a stream encryption. > I know the sendmail folks don't like SMTP over SSL, but... > there is an IANA assigned number in /etc/services for it, > which makes it about as standard as it can be; I don't think > SSL RFC policy requires a per protocol SSL usage RFC for SSL > to be used (that wouldn't make sense, in terms of promoting > the adoption of SSL). With STARTTLS you can probe for SSL in MTA - MTA comunications. MTAs connect foreign SMTP servers and want to prefer SSL. It's unpractical to try a connect to smpts port first with all those blackhole firewalls out there. The only downside with STARTTLS is that it makes it allmost impossible to use external SSL boxes. -- B.Walter COSMO-Project http://www.cosmo-project.de ticso@cicely.de Usergroup info@cosmo-project.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020714073559.GY63545>