From owner-freebsd-arch  Sun Jul 14  0:36:11 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id C762F37B400; Sun, 14 Jul 2002 00:36:08 -0700 (PDT)
Received: from srv1.cosmo-project.de (srv1.cosmo-project.de [213.83.6.106])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5DC1143E3B; Sun, 14 Jul 2002 00:36:07 -0700 (PDT)
	(envelope-from ticso@cicely5.cicely.de)
Received: from cicely5.cicely.de (cicely5.cicely.de [IPv6:3ffe:400:8d0:301:200:92ff:fe9b:20e7])
	(authenticated bits=0)
	by srv1.cosmo-project.de (8.12.3/8.12.3) with ESMTP id g6E7a1Ma036694
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK);
	Sun, 14 Jul 2002 09:36:04 +0200 (CEST)
	(envelope-from ticso@cicely5.cicely.de)
Received: from cicely5.cicely.de (localhost [IPv6:::1])
	by cicely5.cicely.de (8.12.1/8.12.1) with ESMTP id g6E7a2FJ067728
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Sun, 14 Jul 2002 09:36:02 +0200 (CEST)?g
	(envelope-from ticso@cicely5.cicely.de)
Received: (from ticso@localhost)
	by cicely5.cicely.de (8.12.1/8.12.1/Submit) id g6E7a09i067727;
	Sun, 14 Jul 2002 09:36:00 +0200 (CEST)?g
	(envelope-from ticso)
Date: Sun, 14 Jul 2002 09:36:00 +0200
From: Bernd Walter <ticso@cicely5.cicely.de>
To: Terry Lambert <tlambert2@mindspring.com>
Cc: Gregory Neil Shapiro <gshapiro@FreeBSD.ORG>,
	freebsd-arch@FreeBSD.ORG
Subject: Re: Mail subsystem defaults, adding authentication.
Message-ID: <20020714073559.GY63545@cicely5.cicely.de>
Reply-To: ticso@cicely.de
References: <20020713034725.GB47677@ussenterprise.ufp.org> <3D2FAFB2.E2E9CF36@mindspring.com> <20020713045704.GA49379@ussenterprise.ufp.org> <3D300FD4.7479A8E5@mindspring.com> <15664.47827.844708.151118@monkeyboy.gshapiro.net> <3D30C4DA.22A255A8@mindspring.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <3D30C4DA.22A255A8@mindspring.com>
X-Operating-System: FreeBSD cicely5.cicely.de 5.0-CURRENT i386
User-Agent: Mutt/1.5.1i
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

On Sat, Jul 13, 2002 at 05:24:59PM -0700, Terry Lambert wrote:
> > You can (and should) use STARTTLS with SMTP AUTH PLAIN/LOGIN and do not
> > (and should not) use SMTP over SSL as it is non-standard.
> 
> IMO, this is broken.  Here's why:  Implementation of SSL in the
> kernel is a foregone conclusion.  It is a matter of "when", not
> "if", due to work like that of Sam Leffler's recent porting of
> the OpenBSD crypto hardware interface framework to FreeBSD.
> 
> Basically, asking for conversion of a socket from one type to
> another is not something that will necessarily be supportable.

With SSL you still do a normal socket connect anyway and than
call SSL_connect/accept on the already existing connection.
What's the matter with exchanging packets before doing that?
Does that mean that the SSL API changes?

> The whole "STARTTLS" thing was introduced to kludge around the
> lack of IPSEC support in IPv4.  Even if you argue that it's an
> issue for IPv4 because IPSEC bloats the hell out of IPv4 even
> when it's not being used, IPv6 requires implementation of IPSEC
> for it to be called an IPv6 implementation.
> 
> This means that the days of transport crypto decisions like
> this one, and the code to implement it, living in user space
> are numbered, no matter what.

I'm not a cryptographic expert, but I wouldn't prefer a packet
encryption over a stream encryption.

> I know the sendmail folks don't like SMTP over SSL, but...
> there is an IANA assigned number in /etc/services for it,
> which makes it about as standard as it can be; I don't think
> SSL RFC policy requires a per protocol SSL usage RFC for SSL
> to be used (that wouldn't make sense, in terms of promoting
> the adoption of SSL).

With STARTTLS you can probe for SSL in MTA - MTA comunications.
MTAs connect foreign SMTP servers and want to prefer SSL.
It's unpractical to try a connect to smpts port first with all those
blackhole firewalls out there.
The only downside with STARTTLS is that it makes it allmost impossible
to use external SSL boxes.

-- 
B.Walter              COSMO-Project         http://www.cosmo-project.de
ticso@cicely.de         Usergroup           info@cosmo-project.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message