nanog mailing list archives
Re: Remote email access
From: Valdis.Kletnieks () vt edu
Date: Tue, 04 Feb 2003 13:17:36 -0500
On Tue, 04 Feb 2003 09:05:17 EST, Daniel Senie said:
This is, IMO, unworkable in the near term. While I support and promote the use of TLS with SMTP (and POP), requiring client certs is likely too cumbersome for users to manage at this stage. Using STARTTLS to transition clients to an encrypted connection works exceptionally well. The server does need a cert, but the users are identifying with a methodology they understand, usernames and passwords.
I've personally been advocating setting up Sendmail with a self-signed certificate and opportunistic STARTTLS. Yes, I know it's not immune to man-in-the-middle attacks - but it's *quite* sufficient to stop passive sniffing of userids/passwords/text. And it doesn't require much infrastructure.
The question this raises is whether you're concerned about MTA to MTA communication, or MUA to MTA? I'd be happy to see certs in use for MTA-MTA (and indeed support this today on my systems when talking to other MTAs which are using STARTTLS). However, there are definitely reasons why this
One of my hosts (a fair-sized Listserv server) sent out some 278K connections to other sites yesterday. Of the 3,453 domains it talked to, 123 were willing to do STARTTLS, for a deployment rate of 3.5%. Unfortunately, working across connections, only 0.53% used it. If the 10 busiest sites we talked to deployed STARTTLS, it would jump to some 27% of the traffic. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Re: Remote email access Dave Crocker (Feb 03)
- Re: Remote email access Jack Bates (Feb 04)
- Re: Remote email access Daniel Senie (Feb 04)
- Re: Remote email access Jack Bates (Feb 04)
- Re: Remote email access Dave Crocker (Feb 04)
- Re: Remote email access Jack Bates (Feb 04)
- Re: Remote email access Dave Crocker (Feb 04)
- Re: Remote email access Daniel Senie (Feb 04)
- Re: Remote email access Jack Bates (Feb 04)
- Re: Remote email access Valdis . Kletnieks (Feb 04)
- Re: Remote email access E.B. Dreger (Feb 04)
- Re: Remote email access David Lesher (Feb 04)
- RE: Remote email access Al Rowland (Feb 04)
- Re: Remote email access David Lesher (Feb 04)
- Re: Remote email access Dave Crocker (Feb 04)
- <Possible follow-ups>
- Re: Remote email access John R. Levine (Feb 04)
- Re: Remote email access Andy Walden (Feb 04)
- Re: Remote email access Jack Bates (Feb 04)
- Re: Remote email access Andy Walden (Feb 04)