Recommended way to secure email server?

Stewart Stremler bofh at stremler.net
Thu Jul 7 16:29:27 PDT 2005


begin  quoting Gregory K. Ruiz-Ade as of Thu, Jul 07, 2005 at 03:24:59PM -0700:
> On Jul 7, 2005, at 12:12 PM, Andrew Lentvorski wrote:
> 
> >Repeating this query as I got *zero* responses.
> 
> Which sometimes means everyone else is just as stumped as you. :)
 
...and waiting on an answer...

> Honestly, I've never heard of a password-less cert-based auth system  
> for email before, at least not one that's actually supported by any  
> mail clients I know.
 
My experience with cert-only-access was with Netscape, and I have a
password set down in the guts there.  But it apparently isn't *needed*
for the actual authentication...

And as that's netscape, one would hope that netscape-derived systems
would not have lost this functionality.

> I imagine it should be possible if you do a little hacking and force  
> both the clients and the server to force mutual certificate  
> authentication, but then you'll need some backend on the IMAP server  
> that will take the authenticated cert from the client system and  
> match that to a user account.

What's the little phrase? Identification, Authentication, Authorization?

I thought that IMAP already provided the identification, and the 
password was the authentication aspect.  As I understand it, it's
just the authentication piece that needs to be replaced. Or is my
foggy notion of how that works all messed up again?

>                                It's possible Cyrus IMAP and SASL will  
> do this for you.  Likewise, it should be relatively easy to do the  
> same with sendmail or postfix via SASL, if the mechanics for this are  
> entirely within the SASL infrastructure.
> 
> The other trick is configuring your mail client of choice to use a  
> specific SSL cert for its IMAP and SMTP connections.

That's always the trick.

All the literature I can find keeps leading back to Verisign promotional
stuff. Bleah.

-Stewart "Probably all laid out in an X.500 document somewhere" Stremler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20050707/ca8ac560/attachment.pgp


More information about the KPLUG-List mailing list