Recommended way to secure email server?
bofh at stremler.net
Thu Jul 7 16:29:27 PDT 2005
begin quoting Gregory K. Ruiz-Ade as of Thu, Jul 07, 2005 at 03:24:59PM -0700:
> On Jul 7, 2005, at 12:12 PM, Andrew Lentvorski wrote:
> >Repeating this query as I got *zero* responses.
> Which sometimes means everyone else is just as stumped as you. :)
...and waiting on an answer...
> Honestly, I've never heard of a password-less cert-based auth system
> for email before, at least not one that's actually supported by any
> mail clients I know.
My experience with cert-only-access was with Netscape, and I have a
password set down in the guts there. But it apparently isn't *needed*
for the actual authentication...
And as that's netscape, one would hope that netscape-derived systems
would not have lost this functionality.
> I imagine it should be possible if you do a little hacking and force
> both the clients and the server to force mutual certificate
> authentication, but then you'll need some backend on the IMAP server
> that will take the authenticated cert from the client system and
> match that to a user account.
What's the little phrase? Identification, Authentication, Authorization?
I thought that IMAP already provided the identification, and the
password was the authentication aspect. As I understand it, it's
just the authentication piece that needs to be replaced. Or is my
foggy notion of how that works all messed up again?
> It's possible Cyrus IMAP and SASL will
> do this for you. Likewise, it should be relatively easy to do the
> same with sendmail or postfix via SASL, if the mechanics for this are
> entirely within the SASL infrastructure.
> The other trick is configuring your mail client of choice to use a
> specific SSL cert for its IMAP and SMTP connections.
That's always the trick.
All the literature I can find keeps leading back to Verisign promotional
-Stewart "Probably all laid out in an X.500 document somewhere" Stremler
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 232 bytes
Desc: not available
Url : http://www.kernel-panic.org/pipermail/kplug-list/attachments/20050707/ca8ac560/attachment.pgp
More information about the KPLUG-List