-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your first message, which started this flamewar.
> <snip> > > Roy, > > In the OLD days, people were happy with SMTP-Auth. I consider it LESS > security as SMTP after POP, because with SMTP-Auth, You sent Your > e-mailadress and Your password of Your mailbox over the internet. > When a man-in-the-middle catch this e-mail (or worse Your PW), he can > use it for spam, or access Your mailbox. Well, considering you send your entire email over the line to get access to pop, this claim is not true. Just thought id bring this up, as everywhere else you are suggesting that it is not true that you said that. Hell, pop3-ssl would be the same as smtp-ssl both would allow secure authentication. SMTP after POP is a pain, and it doesnt help against these so called man in the middle attacks. Unless off course you would also provide a patch to make it pop3-ssl, in which cause the next thing you say would be a better solution. > > I suggest You use: SHUPP's version with netqmail like : > > fetch http://www.qmail.org/netqmail-1.05.tar.gz > tar xzvf netqmail-1.05.tar.gz.tar > cd netqmail-1.05 > ./collate.sh > > # patch with Shupp's TLS and SMTP-Auth > fetch http://shupp.org/patches/netqmail-1.05-tls-smtpauth-20040207.patch > patch < ./netqmail-1.05-tls-smtpauth-20040207.patch > So now that we have smtp-ssl, or smtps, how is SMTP after POP still more secure? Why not just start an SSL connection and then auth with SMTP? I dont see a difference at all. You brough POP in for no apperant reason at all. Hell, id rather use SMTP auth than first pop and then sending the mail, as its a pain in the ass to configure most mail clients to do POP before SMTP. > certificate: > > You can copy thoses (extension .pem) from : > freeBSD, vpopmail stuff > cd /var/qmail/control > cp /usr/local/cert/ipop3d.pem servercert.pem > ln -s servercert.pem ./clientcert.pem > Breached# ls /usr/local/cert/ipop3d.pem ls: /usr/local/cert/ipop3d.pem: No such file or directory hrm, thats FreeBSD BTW. > Activate TLS by create a certificate, and You will be much better off > to create an encrypted connecton to Your SMTP server by the SMTP Enc > smtps 465/tcp #smtp protocol over TLS/SSL (was ssmtp) > smtps 465/udp #smtp protocol over TLS/SSL (was ssmtp) > > <snip 500 million line sig> X-Istence -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAr8DYJukONu5DUaQRAt+1AJ4rE88Og4vvjtJmrr6an0jCZYrduwCgk1C5 WKsxNOR6msDCJFK7wwaboqs= =vm3x -----END PGP SIGNATURE-----