hi henrique!
On Mon, 15 Nov 2004, OpenMacNews wrote:SERVICES { # imap cmd="imapd" listen="imap" prefork=0 imaps cmd="imapd -s" listen="imaps" prefork=0
That's not what you want.
<snip>
aha. nice & clear again. thx!
but, why is "imapd -s is for IMAP connections that are externally wrapped by SSL" --> considered "BAD"?
TLS starts with plaintext, and goes to encryption early (before any sensitive information is exchanged, but *after* important stuff that could be useful to select encryption/authentication keys like the server name is exchanged).
the 'starts with plaintext' explains why the UNencrypted 'imap' port (vs 'imaps') is used for the TLS connection.
i presume, then, that SSLvX *starts* encrypted ... hence the port 993. true?
BTW add this to imapd.conf: tls_cipher_list: ALL:!ADH:!NULL:!EXPORT:!DES:!LOW:@STRENGTH That will disable all weak ciphers, and leave you with medium grade and high grade ciphers. Try openssl cipher -v '<what you have in tls_cipher_list>' to see what you get. If you can get away with it, remove SSLv2 (add !SSLv2 after ALL:) too. man ciphers (openssl ciphers) to see how this works.
i actually had:
tls_cipher_list: TLSv1:SSLv3:!NULL:!EXPORT:!DES:!LOW:@STRENGTH
i _thought_ the !ADH is there by default ... and i see no reason NOT to explicitly include (ALL) the high/med grade ciphers.
ok. fair enuf!
And try to have both sides of the connection authenticated (require client certificates with a certification path known to the server).
i already have, setting up my own local CA ... i've just removed the step from the equation for now while i step-by-step the testing/configuration ...
cheers,
richard --- Cyrus Home Page: http://asg.web.cmu.edu/cyrus Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
