|
|
I'm experimenting with the use of Perdition as an IMAP4S proxy in front
of a proprietary messaging system. Perdition will accept the IMAP4S
connection, then send unencrypted IMAP4 to the back-end messaging
system.
I'm a bit concerned, though, that the IMAP4S connection isn't
necessarily as secure as I would like. In particular, I am concerned
about the IMAP4 client sending authentication credentials before the
TLS connection has been established. I've been reviewing RFC 3501 in
an effort to verify that the IMAP4 client first sends a CAPABILITY
command before attempting to authenticate. If so, then Perdition will
return both the STARTTLS and LOGINDISABLED responses, indicating that
the TLS connection must first be established, then authentication will
be permitted.
Anyone have a clue on this one? Packet captures thus far have been
inconclusive...although this may be due to my inexperience with tcpdump.
TIA.
--
Scott Lowe
|
|