There are reasons that SSL went to v3 (and SSH to v2, Kerberos to v5, etc). Most are probably of only theoretical interest, but in a very high security environment, it's valid to worry about such things. Personally and for the Brandeis production servers, I currently don't.
You can disable SSLv2 or specific crypto algorithms at OpenSSL build time. I don't know if it's possible to do it at link or run time. If he's on a platform where he's compiling everything from source anyway, Andrew should read through the OpenSSL docs and configure OpenSSL appropriately. If he's using vendor binaries of *anything* and recompiling basic packages would be a hassle, then he should read enough about crypto to tell auditors that he's made an informed decision. Clients that support both v2 and v3 will always use v3, so the fact that the server supports v2 is only an issue if you're worried about fairly determined man-in-the-middle attackers. For best security, as Mark said, use TLS on 143, but your choice of IMAP clients will be limited. -- Rich Graves <[EMAIL PROTECTED]> UNet Systems Administrator _______________________________________________ Imap-uw mailing list Imap-uw@u.washington.edu https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
