Summary: IMAP with encrypted authentication

From: shubin@peabody.jhu.edu
Date: Thu May 13 1999 - 10:16:54 CDT


Good morning, Gurus.
Thank you very much for your prompt reply and great suggestions:

Lee Trujillo <leet@navidec.com>
Harvey Wamboldt <harvey@iotek.ns.ca>
Eric D. Pancer <eric@outlook.net>
Jochen Bern <bern@penthesilea.uni-trier.de>
Bertold Kolics <bertold@sztaki.hu>
Michael Neef <Michael.Neef@neuroinformatik.ruhr-uni-bochum.de>

My summary:(if you know a littel TSL/SSL, please read C. first)

A. You can do it with freeware (has been tested on Digital Unix):

--------------------------------------------------------------------
From: Michael Neef <Michael.Neef@neuroinformatik.ruhr-uni-bochum.de>

There is a document "Learning SSL the Hard Way" which describes how to do
IMAP over SSL:

http://www.dtcc.edu/cs/admin/notes/ssl/

---
Michael Neef, System-Administrator
Ruhr-Universitaet Bochum, Institut fuer Neuroinformatik, ND 03/68
D-44780 Bochum, Germany

B. There's commercial software from Innosoft and Netscape:

---------------------------------------- From: Bertold Kolics <bertold@sztaki.hu>

Hi Shubin,

We use PMDF as an MTA and POP3/IMAP server on our UE450 machine. Further information: http://www.innosoft.com/iii/home-pmdf.html.

It supports Transport Layer security on POP3, IMAP (and on SMTP connections as well).

Cheers, Bertold

------------------------------------- From: Lee Trujillo <leet@navidec.com>

Netscape Messaging (mail) and Directory (ldap) servers can do IMAPS and LDAPS (S for secure). Totally encrypted.

C. A very useful and interesting overview on TSL/SSL/+More from Mr. Wamboldt -- THANK YOU, H, I apprciate your help. ------------------------------------------ From: Harvey Wamboldt <harvey@iotek.ns.ca>

Yes, the IMAP spec does support encryption, or rather there is an extension to the spec. It uses TLS (Transport Layer Security, RFC-2246) which is the official successor to SSL. It is intended to be implemented on its own ports:

from <http://www.isi.edu/in-notes/iana/assignments/port-numbers>:

imap4-ssl 585/tcp IMAP4+SSL (use 993 instead) imap4-ssl 585/udp IMAP4+SSL (use 993 instead) imaps 993/tcp imap4 protocol over TLS/SSL imaps 993/udp imap4 protocol over TLS/SSL

The TLS spec supports "authentication only" by specifying "null encryption". So in theory at least the specs are in place. Thats the good news.

However, as far as I know, there are as yet no freely available IMAP-TLS implementations. You might be able to locate a TLS/SSL proxy (where you would connect to a port on your local machine, which would kick off a TLS/SSL proxy which would connect to a TLS/SSL proxie on the imap server, which which connect to the local imap port on the server ... in effect establishing an authenticated connection).

However, all may not be lost. There are several packages available, most from firewall vendors, most proprietary, which provide secure connections. These are mostly intended for connections from PCs on unsecured networks (like the Internet) to a firewall machine, typically a UNIX server. These provide robust authentication and encryption. Examples include <http://www.securecomputing.com/>, <http://www.checkpoint.com>, <http://www.datafellows.com>, <http://www.entrust.com>, and undoubtedly others. The bad news is that if you configure one of these to authenticate only, then you are still sending your imap password across the network in the clear.

Finally, there are three proposed secure authentication mechanisms for IMAP itself (RFC-1731). This RFC specifies how to use Kerberos version 4 authentication, GSSAPI authentication, and S/Key authentication. There is also a simpler "Challenge-Response Authentication Mechanism" (RFC-2195) which would much better than passwords. However, again I don't know if anyone actually uses this yet.

It is still early days for encrypted email (these things take time). Of course it's a touchy subject since US law considers encryption to be as sensitive as munitions.

I'm looking forward to your SUMMARY.

Hope you found this useful, or at least interesting,

Rgds,

-H- --------------------------------------------------------------------- My original Q:

> Hi, Gurus, > > I would appreciate if anybody could point out how to use IMAP server > with encrypted authentication on Solaris 2.6(Sparc). > > I found some info about using encrypted port on IMAP, POP3 and SMTP. > (http://www.nwfusion.com/newsletters/gwm/0329gw1.html) > > But what we need is not to encript all the email message, we just do not > want the clear text uid/password to be easily captured by sniffers. > We use Netscape as main email client and some Eudora, some MS-IE. > Does IMAP works with SSL or other encryption protocol? > > I will summarize. > > Thanks in advance. > > Shubin Wang > Unix Sys. Admin. > Peabody Institute, JHU > Tel: 410-659-8241



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:13:19 CDT