On Fri, 2 Jan 2004, Paul Boven wrote: > Security is a very important thing. And security to me means encryption, > not only of the authentication phase but of the whole session. Now with > HTTPS I know you loose the ability to support virtual domains, because > the TLS session must be setup before the requested URL is transferred.
While this is definately true in HTTP (as sensitive information travesrses the network otherwise unencrypted), it is no where near as important in IMAP, unless you are concerned about people knowing what mailboxes you select (or if you use a mailbox that only gets APPENDed to). In almost every case, all of the information available in Cyrus has already crossed the network unencrypted, be it via SMTP between sites or via NNTP from a feeder peer. So, the contents of the messages have already been exposed, so the *content* isn't secure anyway. The only argument I currently completely understand for an IP-only based setup is that of sites that need to distinguish ANONYMOUS users between domains (and prehaps that is good enough). -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper