From: Lilla <ho...@gu...> - 2002-10-30 16:19:55
|
Hi, My IMAP-server is not on the same box as SM is running. To avoid sending=20 cleartext passwords over my LAN is it possible to configure SM to use=20 IMAP/SSL instead? (I'm runninge Courier-IMAP 1.5.3 with OpenSSL 0.9.6g) /LH |
From: Chris H. <ch...@bi...> - 2002-10-31 14:11:25
|
> My IMAP-server is not on the same box as SM is running. To avoid sending > cleartext passwords over my LAN is it possible to configure SM to use > IMAP/SSL instead? (I'm runninge Courier-IMAP 1.5.3 with OpenSSL 0.9.6g) I'm working on support for this right now. Unfortunately, it requires PHP 4.3.x, which is a little too bleeding-edge for most people's tastes. (Hint: I haven't switched to 4.3.x yet) In the meantime, you can try using sslwrap. Check http://www.rickk.com/sslwrap/ Hope this helps, Chris Hilts ch...@bi... |
From: Ben S. <ca...@ya...> - 2002-10-31 18:07:47
|
By pushing SM to https, wouldnt that will do the trick ? I mean once you are on https, everything is encrpted. --- Chris Hilts <ch...@bi...> wrote: > > My IMAP-server is not on the same box as SM is running. To avoid > sending > > cleartext passwords over my LAN is it possible to configure SM to > use > > IMAP/SSL instead? (I'm runninge Courier-IMAP 1.5.3 with OpenSSL > 0.9.6g) > > I'm working on support for this right now. Unfortunately, it requires > PHP > 4.3.x, which is a little too bleeding-edge for most people's tastes. > (Hint: I haven't switched to 4.3.x yet) In the meantime, you can try > using sslwrap. Check http://www.rickk.com/sslwrap/ > > Hope this helps, > > Chris Hilts > ch...@bi... ===== ...... Benjamin Sabini ca...@ya... __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ |
From: Chris H. <ch...@bi...> - 2002-10-31 18:21:31
|
> By pushing SM to https, wouldnt that will do the trick ? > I mean once you are on https, everything is encrpted. That will encrypt communication between the web browser and the web server. It will still leave the password sent from the web server to the imap server unprotected. [users's browser] <==SSL==> [apache/php/squirrelmail] <==CLEARTEXT==> [imap] This can be avoided by using a wrapper like sslwrap to "tunnel" the communications to the IMAP server, using TLS or SSL connections (which will require PHP 4.3.x), or an authentication method such as digest-md5 which supports encryption. I've got code for TLS in a branch of CVS, but as I said, it requires a pretty fresh version of PHP. I'm also working on digest-md5, which will take me a while. Best bets for now is to use a wrapper. Chris Hilts ch...@bi... |
From: Jonathan A. <ja...@ce...> - 2002-10-31 18:26:08
|
Hello Ben, On Thursday, October 31, 2002, Ben Sabini wrote... > By pushing SM to https, wouldnt that will do the trick ? > I mean once you are on https, everything is encrpted. Unfortunately no... this will only encrypt the traffic between the end user and the SM code itself... not between the SM Code, and the imap server. So you'd end up with: User -- Encrypted --- SM --- Plain Text --- IMAP Server Which defeats the whole point of it really ;) As Chris said though, he's currently working on an encrypted layer for SM... hopefully he'll get it all squared away ;) -- Jonathan Angliss (ja...@ce...) |
From: David C. <da...@bo...> - 2002-10-31 18:30:17
|
Not true at all, all CLIENT communication is encrypted, but comms within your own environment between the web server and the IMAP server are still plain text. ----- Original Message ----- From: "Ben Sabini" <ca...@ya...> To: <ch...@bi...>; "Lilla" <ho...@gu...> Cc: <squ...@li...> Sent: Thursday, October 31, 2002 10:07 AM Subject: Re: [SM-USERS] SM vs IMAP/SSL > By pushing SM to https, wouldnt that will do the trick ? > I mean once you are on https, everything is encrpted. > > --- Chris Hilts <ch...@bi...> wrote: > > > My IMAP-server is not on the same box as SM is running. To avoid > > sending > > > cleartext passwords over my LAN is it possible to configure SM to > > use > > > IMAP/SSL instead? (I'm runninge Courier-IMAP 1.5.3 with OpenSSL > > 0.9.6g) > > > > I'm working on support for this right now. Unfortunately, it requires > > PHP > > 4.3.x, which is a little too bleeding-edge for most people's tastes. > > (Hint: I haven't switched to 4.3.x yet) In the meantime, you can try > > using sslwrap. Check http://www.rickk.com/sslwrap/ > > > > Hope this helps, > > > > Chris Hilts > > ch...@bi... > > > ===== > ...... > Benjamin Sabini > ca...@ya... > > > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > ------------------------------------------------------- > This sf.net email is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en > -- > squirrelmail-users mailing list > List Address: squ...@li... > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > |
From: Harold H. <ha...@ma...> - 2002-10-31 18:42:37
|
Of course, everything between the client and SM is encrypted by SSL, but I don't think the stuff between SM and IMAP is. And the original writer wanted to keep unencrypted stuff off the LAN between SM and the IMAP server. I'm running SM and IMAP server on the same machine, so this is not an issue. However, I was always concerned about passwords in the clear between SM and the client, so I ran SM under SSL. That is until the hole in Open SSL was exploited and brought that machine down (or at least overlaoded the router with port 2002 traffic). I'm in the process of migrating one machine to RH8.0. The machine running RH7.3 (and the SSL hole) now has port 443 blocked at the router so I can use SM on the LAN, but use pine over SSH from the outside world (where I am now). Are others generally running SM over SSL? Harold On Thu, 31 Oct 2002, Ben Sabini wrote: > By pushing SM to https, wouldnt that will do the trick ? > I mean once you are on https, everything is encrpted. > > --- Chris Hilts <ch...@bi...> wrote: > > > My IMAP-server is not on the same box as SM is running. To avoid > > sending > > > cleartext passwords over my LAN is it possible to configure SM to > > use > > > IMAP/SSL instead? (I'm runninge Courier-IMAP 1.5.3 with OpenSSL > > 0.9.6g) > > > > I'm working on support for this right now. Unfortunately, it requires > > PHP > > 4.3.x, which is a little too bleeding-edge for most people's tastes. > > (Hint: I haven't switched to 4.3.x yet) In the meantime, you can try > > using sslwrap. Check http://www.rickk.com/sslwrap/ > > > > Hope this helps, > > > > Chris Hilts > > ch...@bi... > > > ===== > ...... > Benjamin Sabini > ca...@ya... > > > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > > > ------------------------------------------------------- > This sf.net email is sponsored by: Influence the future > of Java(TM) technology. Join the Java Community > Process(SM) (JCP(SM)) program now. > http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en > -- > squirrelmail-users mailing list > List Address: squ...@li... > List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995 > List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users > |
From: Chris H. <ch...@bi...> - 2002-10-31 19:11:40
|
> Are others generally running SM over SSL? I do for my "production" copy of SquirrelMail. For my CVS copy, which only I use for testing, I don't bother. I'm using a "demo" SSL cert which is only good for 6 months, but once it expires I'll just go self-signed, I think. -- Chris Hilts ch...@bi... |
From: Lilla <ho...@gu...> - 2002-10-31 20:40:53
|
> The machine running RH7.3 (and the SSL > hole) now has port 443 blocked at the router so I can use SM on the LAN= , > but use pine over SSH from the outside world (where I am now). > =09Are others generally running SM over SSL? At my place we _only_ accept SM over SSL, no HTTP. I'm also running RH73 = but=20 with as few RPM:s as possible. Why don't you just compile your own OpenSS= L=20 0.9.6g and the build Apache 1.3.27 against it? It's easy.=20 If you prefer RPM's RedHat has released updated OpenSSL-RPM's. /Lilla |
From: Harold H. <ha...@ma...> - 2002-10-31 21:02:23
|
On Thu, 31 Oct 2002, Lilla wrote: > > The machine running RH7.3 (and the SSL > > hole) now has port 443 blocked at the router so I can use SM on the LAN, > > but use pine over SSH from the outside world (where I am now). > > Are others generally running SM over SSL? > > At my place we _only_ accept SM over SSL, no HTTP. I'm also running RH73 but > with as few RPM:s as possible. Why don't you just compile your own OpenSSL > 0.9.6g and the build Apache 1.3.27 against it? It's easy. > > If you prefer RPM's RedHat has released updated OpenSSL-RPM's. > > /Lilla > Good idea! Actually, I just put my backup RH7.3 machine on line, blocked port 443 at the router, and started a general upgrade on the main machine (to RH8.0). I'm having fun migrating config files... Harold |
From: Sander S. <ss...@fr...> - 2002-11-01 11:42:23
|
Quoting Harold Hallikainen (ha...@ma...): > Are others generally running SM over SSL? I run SM on https with self made and self signed certs. Works like a charm, but yes, you have to keep up to date with security releases ;) -- | Year, n.: A period of three hundred and sixty-five disappointments. | 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D |