|
|
On 05/15/2005 05:29 AM, Scott Lowe wrote:
I'm experimenting with the use of Perdition as an IMAP4S proxy in front
of a proprietary messaging system. Perdition will accept the IMAP4S
connection, then send unencrypted IMAP4 to the back-end messaging system.
I'm a bit concerned, though, that the IMAP4S connection isn't
necessarily as secure as I would like. In particular, I am concerned
about the IMAP4 client sending authentication credentials before the TLS
connection has been established. I've been reviewing RFC 3501 in an
effort to verify that the IMAP4 client first sends a CAPABILITY command
before attempting to authenticate. If so, then Perdition will return
both the STARTTLS and LOGINDISABLED responses, indicating that the TLS
connection must first be established, then authentication will be
permitted.
Anyone have a clue on this one? Packet captures thus far have been
inconclusive...although this may be due to my inexperience with tcpdump.
I think, Ethereal may help a lot; is more intutive as compared to tcpdump.
Inspired from a Net::SMTP Client Library in standard Ruby Libs, I've
developed Net::NNTP Client Library; plz have a look at detailed docs as
well as source at ...
Home: http://nntp.rubyforge.org/
Download: rubyforge.org/projects/nntp/">http://rubyforge.org/projects/nntp/
But implementation of some of the Authentication methods is incomplete
in both of the above packages. I have searched a number of RFC's and, or
drafts, but me too am clueless till yet.
I would love to hear from you on any further progress.
Regards,
--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: anu.homelinux.net/~bsd/">http://anu.homelinux.net/~bsd/ Visit: counter.li.org/">http://counter.li.org/
|
|