Disallow cleartext on the wire
jonr at destar.net
jonr at destar.net
Mon Jan 10 18:48:45 EST 2011
Quoting Lucas Zinato Carraro <lucaszc at gmail.com>:
> RFC2595 - not recommended IMAPs, but I disagree in some points.
> imaps and pop3s ports
> Separate "imaps" and "pop3s" ports were registered for use with
> SSL. Use of these ports is discouraged in favor of the STARTTLS or
> STLS commands.
> - Separate ports lead to a separate URL scheme which intrudes into
> the user interface in inappropriate ways. For example, many web
> pages use language like "click here if your browser supports SSL."
> This is a decision the browser is often more capable of making than
> the user.
> But many clients has option to confirm if server certificate is correct.
> - Separate ports imply a model of either "secure" or "not secure."
> This can be misleading in a number of ways. First, the "secure"
> port may not in fact be acceptably secure as an export-crippled
> cipher suite might be in use. This can mislead users into a false
> sense of security. Second, the normal port might in fact be
> secured by using a SASL mechanism which includes a security layer.
> Thus the separate port distinction makes the complex topic of
> security policy even more confusing. One common result of this
> confusion is that firewall administrators are often misled into
> permitting the "secure" port and blocking the standard port.
> This could be a poor choice given the common use of SSL with a
> 40-bit key
> encryption layer and plain-text password authentication is
> less secure than
> strong SASL mechanisms such as GSSAPI with Kerberos 5.
> Again, many clients has option to confirm if connection is secure.
> Use of SSL with a 40-bit key can be used with other connections too.
> I do'nt see a serious provider implementing this.
> - Use of separate ports for SSL has caused clients to implement only
> two security policies: use SSL or don't use SSL. The desirable
> security policy "use TLS when available" would be cumbersome with
> the separate port model, but is simple with STARTTLS.
> Clients implement several methods and not only one or two.
> I do'nt see any modern mail client that not implement "imaps"
> but i see clients that not implement STARTTLS.
> - Port numbers are a limited resource. While they are not yet in
> short supply, it is unwise to set a precedent that could double (or
> worse) the speed of their consumption.
> But IMAPs and SMTPs use only 2 ports.
Ok, so I am using SASL and am using the max/min SSF in the imapd.conf
file. I have TLS and SSL open for authentication and I do not allow
plaintext logins without using TLS or SSL. Ports 25,110,143,465,993
and 995 are open on the server the first three for TLS aware MUAs and
the last three for those that can't do TLS(MS Outlook 2003).
Am I wrong in thinking this will encrypt my logins and keep them from
being snooped off the wire? If a MUA does try to jam a passwd in and
not honor the LOGINDISABLED flag they will still not be authenticated.
I could then send an error message back alerting the user of their
non-compliant MUA and why they were denied, correct?
Am I missing something obvious here?
Thanks again for all the help,
More information about the Info-cyrus