On Wed, Oct 25, 2000 at 12:59:59PM -0400, Adam McKenna wrote:
> On Wed, Oct 25, 2000 at 11:22:18AM -0400, Dave Sill wrote:
> > Adam McKenna <[EMAIL PROTECTED]> wrote:
> >
> > >SMTP is not secure. That's just the way it is. There is no reason to run
> > >SSL on your SMTP port.
> >
> > How about privacy? It's not as good as end-to-end, e.g. using PGP, but
> > it's better than nothing.
>
> The point is that unless you're sending mail to a local user, the same e-mail
> is just going to get sent back out, un-encrypted, over the internet. So why
> bother encrypting it from the client to the server?
The problem is POP3 encryption more than SMTP. POP3 encryption, apart from
messages privacy, prevents passwords sniffing. It makes sens even
if the messages travel unencrypted before reaching the user's mailbox
POP3 can be encrypted using any SSL wrapper, but the wrapper must be
run as root or it won't be possible to do "POP3 before SMTP" relay control.
The "guilty protocol" is SMTP, obviously, because it forces us do do the
tricks, but this is more difficult to change.
Hacking SSL wrapper or tcpserver would solve it, but the idea must wait
for some spare time.
Andrzej
