[wplug] IMAP revisited... to send mail?

Brandon Kuczenski brandon at 301south.net
Sat Nov 20 21:30:13 EST 2004 

On Sat, 20 Nov 2004, Brandon Kuczenski wrote:

> On Sat, 20 Nov 2004, Bill Moran wrote:
>
> > On Sat, 20 Nov 2004 08:47:36 -0500
> > "Jonathan S. Billings" <billings at negate.org> wrote:
> > >
> > > On Nov 20, 2004, at 8:34 AM, Bill Moran wrote:
> > >
> > > > So stuff had to be added to SMTP to secure it.  SASL is a component of
> > > > SMTP AUTH.  SMTP AUTH allows a user to authenticate to the SMTP server
> > > > before using it, SASL is how the SMTP server determines whether or not
> > > > that authentication succeeds or not.
> > >
> > > I should note that SASL is also used by imap and other services to
> > > negotiate authentication, as well negotiating the security layer for
> > > the protocol.  So you might see it in your IMAP configuration as well
> > > as MTA.
> >
> > Good point.
> >
> > SASL is the underlying method of authentication.  SMTP AUTH is the way
> > that SMTP uses SASL to do its job.  IMAP and POP could use SASL as well.
> > In fact, I think you could (potentially) use SASL for all authentication
> > (even login) although I don't know of anyone ever doing so.
> >
>
> Okay, so this is helping, somewhat... Again, tell me if I have it right.
>
...
> Maybe beating myself over the head with this for 18 hours straight is not
> a good idea....

I'm calmer now.  I think I have it -- at least, in a broad, conceptual
sense.

Really, postfix's job is simple: accept mail, and when doing so from
remote sources, require them to authenticate first.  For security, the
authentication must be performed with a layer of encryption (SSL/TLS)
(still not quite clear on the difference between SSL and TLS, but I would
guess it's one of nomenclature).  A mail client connects to my port 25 and
tells postfix to STARTTLS.  Once that's happened, communication is now
secure (assuming the client accepts the server's certificate), and so the
client AUTHenticates.

Here's where SASL comes in: it provides a way for Postfix (or any program)
to interface with an authentication database, and provides some tools for
maintaining that database, but really it expects to use something like
/etc/passwd or an SQL database or something (this is for scalability, I
would guess).

And that's the difference between transport-level security and
authentication.

What's really neat about this is that once I have this setup I could tell
postfix to act as a secure client as well -- and only deliver mail when
SSL is used.  That way, if I ever fear an overzealous Justice Department
or a nosy ISP, or if the free world becomes overrun with terrorists, or I
have an ugly breakup with some l33t hacker girl, I can encrypt ALL my
email (and simply not correspond with people who don't provide TLS on
their mailserver).  It's really a very different issue from setting up an
IMAP server.

AND... It's not that hard.  In theory.

My problem is that I hate setting a problem down in the middle, unsolved,
which leads to these marathon weekends during which I'm buried in man
pages and howtos.

Does everybody go through this?  is it a phase?  Or am I doomed to
struggle with every system upgrade and every service rollout?  Am I too
old to become a Jedi?  People who started hacking when they were 8 don't
have this problem.

-Brandon

More information about the wplug mailing list