Re: right MTA for crypto support
On Tue, Aug 27, 2002 at 11:53:08AM +0200, Eugen Leitl wrote:
I'm getting rather pissed at diverse wiretap legislations making the global rounds (lately EU is making noises towards storing a one year deep FIFO of all email and browsing traffic for all users), and would like to run my own MTA, with MX fallback to ISPs. I would like to have secure MUA-MTA (IMAP/SSL POP/SSL and MTA-MTA (if the other end supports it).
lne.com's sendmail now supports START_TLS. Not that that adds any security to cpunks list mail of course. But it does increase the amount of encrypted traffic. It's relatively easy to turn on TLS in sendmail. It's not secure against active attackers that can modify the data in the TCP stream but it's better than nothing.
If anyone knows of patches which automatically query keyservers and GPG/PGP encrypt emails to targets (this is not a deep paranoia setup, just a cheap measure to increase encrypted mail traffic) that would be nice to have, too.
Besides START_TLS which is built in, there is probably an auto-PGP patch for sendmail. Eric
On 8/27/02 1:24 PM, "Eric Murray" <ericm@lne.com> wrote:
On Tue, Aug 27, 2002 at 11:53:08AM +0200, Eugen Leitl wrote:
I'm getting rather pissed at diverse wiretap legislations making the global rounds (lately EU is making noises towards storing a one year deep FIFO of all email and browsing traffic for all users), and would like to run my own MTA, with MX fallback to ISPs. I would like to have secure MUA-MTA (IMAP/SSL POP/SSL and MTA-MTA (if the other end supports it).
lne.com's sendmail now supports START_TLS. Not that that adds any security to cpunks list mail of course. But it does increase the amount of encrypted traffic.
It's relatively easy to turn on TLS in sendmail. It's not secure against active attackers that can modify the data in the TCP stream but it's better than nothing.
If anyone knows of patches which automatically query keyservers and GPG/PGP encrypt emails to targets (this is not a deep paranoia setup, just a cheap measure to increase encrypted mail traffic) that would be nice to have, too.
Besides START_TLS which is built in, there is probably an auto-PGP patch for sendmail.
Correct me if I'm wrong, but I'm pretty sure that PGP's included outlook plugin provides options for automatic encryption/digital signatures... ~SAM
Eric
Eric wrote:
I'm getting rather pissed at diverse wiretap legislations making the global rounds (lately EU is making noises towards storing a one year deep FIFO of all email and browsing traffic for all users), and would like to run my own MTA, with MX fallback to ISPs. I would
On Tue, Aug 27, 2002 at 11:53:08AM +0200, Eugen Leitl wrote: like to have
secure MUA-MTA (IMAP/SSL POP/SSL and MTA-MTA (if the other end supports it).
lne.com's sendmail now supports START_TLS. Not that that adds any security to cpunks list mail of course. But it does increase the amount of encrypted traffic.
There are a bunch of projects that either work on or have completed integration of PGP at the MTA-level. A post to the OpenPGP lists should round up the candidates. Either way, I agree with Eric that turning on STARTTLS support in MTA's has become so easy that I would be hard pressed to come up with reasons why one wouldn't. I know that enabling STARTTLS is trivial in postfix and I am told that STARTTLS ships with exim and at least the Debian build of sendmail. Either way, I would recommend to first enable STARTTLS in your MTA and only after that start looking at PGP integrations. (I fully understand that STARTTLS and PGP fulfill different needs and address different thread models). --Lucky Green
participants (3)
-
Eric Murray -
Lucky Green -
Sam Ritchie