Original Message at bottom...
Thanks to:
most of all--- the author of UW IMAP: Mark Crispin
Brian_ONeill_at_uml.edu (Brian O'Neill)
Ann Cantelow <cantelow_at_athena.csdco.com>
Saul Tannenbaum <stannenb_at_emerald.tufts.edu>
Answers:
SSL is only supported with Netscape Server side.
Use SSH (
http://www.ssh.org), but I don't know if this can be used with
clients such at Eudora, Netscape Messenger, MS Outlook.... anyone know?
One said to take a look at
http://www.dtcc.edu/cs/admin/notes/ssl/ for an
interesting approach, using SSL with imap even though UW IMAP doesn't
support it (yet!)
And the author responded:
>This is a difficult issue. The problems are not so much technical as they
are
>political.
>
>Because of the reprehensible and unconstitutional policies of the Clinton
>regime, it is legally impossible for me to offer a secure means of
>authenticating a UNIX password. The technology exists (it's called PASSDSS)
>but I would end up under federal indictment if I distributed free source code
>that implements it. UW is *not* in the business of trying to determine
who is
>a US citizen and who is not.
>
>I am not volunteering to be the sacrificial lamb to fight this policy either.
>
>The problem with APOP and CRAM-MD5 is that it requires that the password be
>stored in what is effectively plaintext on the server. You can not use the
>standard UNIX password with these technologies.
>
>Let me emphasize that if the APOP or CRAM-MD5 password file is ever stolen by
>a cracker, he has *ALL* of your system's passwords. Not just the bad easily
>crackable passwords (as in what happens if /etc/passwd is stolen).
>
>I plan on offering support for CRAM-MD5 and possibly APOP but it will be
>turned off by default.
>
>Both SSL and Kerberos require that you get the software to support these from
>elsewhere. I distribute with supported linkage for Kerberos V, and
>unsupported linkage for Kerberos IV, now. By "linkage" I mean that I do not
>distribute Kerberos, but rather once you install Kerberos from elsewhere
>(usually MIT), you will have everything you need to rebuild my software with
>Kerberos.
>
>I plan on offering linkage for SSL as well.
>
>
>We will NOT distribute any binaries with Kerberos or SSL. It is possible
that
>MIT may distribute a PC Pine binary with Kerberos and/or SSL for us.
>
>
>In my opinion, Kerberos and/or SSL are probably the best choices of a bad
lot.
>They will require substantial additional effort on your part, but at least
>they are comprehensive for all services.
>
>APOP and CRAM-MD5 are simpler, but they are only for POP or IMAP and they
>require an insecure password database.
>
>There is another technology called OTP (one time password) which is more
>secure than APOP/CRAM-MD5 and less hassle than SSL/Kerberos. The problem is
>that you still need a separate database, and the password presently expires
>after a certain number of uses. For people with POP clients that connect
>every 5 minutes, that's disasterous.
>
>The ideal would be to do PASSDSS. I have talked to friends of mine in free
>countries, but so far nobody has written an implementation yet. I doubt that
>there is any chance of a change in US encryption policy until after the
>November elections.
>
>I'm not holding my breath though.
>
Original Message:
-----------------------------------------
>Any experiences of IMAP/POP encryption of passwords?
>
>I got the IMAP/POP server from
>University of Washington at http://www.washington.edu/imap/
>and got it installed and working with standard plaintext passwords....
>although I don't know where to find more informaiton on password
encryption choices and possibly more info & help files than the standard
IMAP server package I got.
>
>It lists encryption of:
># The following extra authenticators are defined:
># krb Kerberos IV (client-only)
># gss GSSAPI/Kerberos V
># The following plaintext login types are defined:
># afs AFS authentication
># dce DCE authentication
># krb Kerberos IV (must also have krb as an extra authentication)
># std system standard
>
>Netscape Communicator says "Server supports encrypted connections (SSL)"
but nothing else
>
>Eudora says:
> POP: Password (plaintext I assume), APOP, Kerberos, RPA
> IMAP:Password (plaintext I assume) and CRAM_MD5
>
>Whats a descent standard?
>How can I get an IMAP/POP server to support encryption for netscape,
outlook and clients like eudora?
>
>Thanks!
>Dan
--------------------------------------------------------------------------
Dan Kirkpatrick dkirk_at_phy.syr.edu
Systems Administrator/Manager
Department of Physics
Syracuse University, Syracuse, NY
http://www.phy.syr.edu/~dkirk Fax: (315) 443-9103
Personal:
http://www.geocities.com/heartland/6540/
--------------------------------------------------------------------------
Received on Mon Jun 29 1998 - 15:57:29 NZST