Home page logo

nanog logo nanog mailing list archives

Re: Remote email access
From: Valdis.Kletnieks () vt edu
Date: Tue, 04 Feb 2003 13:17:36 -0500

On Tue, 04 Feb 2003 09:05:17 EST, Daniel Senie said:

This is, IMO, unworkable in the near term. While I support and promote the 
use of TLS with SMTP (and POP), requiring client certs is likely too 
cumbersome for users to manage at this stage. Using STARTTLS to transition 
clients to an encrypted connection works exceptionally well. The server 
does need a cert, but the users are identifying with a methodology they 
understand, usernames and passwords.

I've personally been advocating setting up Sendmail with a self-signed
certificate and opportunistic STARTTLS.   Yes, I know it's not immune to
man-in-the-middle attacks - but it's *quite* sufficient to stop passive
sniffing of userids/passwords/text.  And it doesn't require much infrastructure.

The question this raises is whether you're concerned about MTA to MTA 
communication, or MUA to MTA? I'd be happy to see certs in use for MTA-MTA 
(and indeed support this today on my systems when talking to other MTAs 
which are using STARTTLS). However, there are definitely reasons why this 

One of my hosts (a fair-sized Listserv server) sent out some 278K connections
to other sites yesterday.  Of the 3,453 domains it talked to, 123 were
willing to do STARTTLS, for a deployment rate of 3.5%.

Unfortunately, working across connections, only 0.53% used it.  If the 10
busiest sites we talked to deployed STARTTLS, it would jump to some 27% of
the traffic.

                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech

Attachment: _bin

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]