>I am interested in installing QPopper with TLS/SSL, as this seems like it >would be the most secure configuration with regards to user authentication >and message contents. I am vaguely familiar with APOP, Kerberos, and PAM. >Is their any advantage to running SSL/TLS QPopper with any of these other >protocols, or is SSL/TLS sufficient on it's own?
Note: I'm a Kerberos guy, so I'm biased. I hesitate to call PAM "authentication"; it's really just a way to pass in a plaintext password to different backends, so it's orthogonal to TLS. I think Kerberos is technically superior to TLS as most people use TLS (note when I say Kerberos, I mean using Kerberos via GSSAPI which gives you authentication _and_ encryption, not KPOP), because while some people do use certificates with TLS, let's face it: no one has even tried to address revocation in that environment, and I don't think the use of client certificates is really that widespread. If you're not using certificates, then the encryption that TLS provides is useful but not secure. The _big_ drawback to Kerberos is nowhere near as many clients support it as support TLS. --Ken
