On Fri, Mar 04, 2011 at 03:41:09PM +0100, kapetr wrote: > At the moment am I satisfied with fact, that the communication with > ISPs server is encrypted. So my with SALS LOGIN/PLAIN send > name/passwd are +- safe.
There is no such thing as "safe", rather "safe" is always relative to a set of threats that are mitigated. Encryption is not synonymous with security. Rather, encryption yields confidentiality protection against a passive wiretap. So your username/password are safe from interception by an attacker who passively captures packets. Your username/password are not safe from a man-in-the-middle attack, thwarting that requires authentication as well as encryption. With stunnel that means "verify = 3" and a local copy of the SMTP server certificate. The peer certificate copy is IIRC only used for its "subject DN", so if the peer certificate is renewed, without changing any of the DN components, it will still match provided the trust chain verifies. Basically, stunnel only supports authentication via a cert in the CAfile whose DN exactly matches the peer DN. You can even generate a cert such a self-signed certificate yourself and throw away the private key. Provided the subject DN matches the peer's subject DN you're set. -- Viktor.