On 03/11/2013 05:27 AM, Eero Volotinen wrote:
> 2013/3/11 Robert Moskowitz <rgm@xxxxxxxxxxxxxxx>:
>> On 03/11/2013 05:08 AM, Eero Volotinen wrote:
>>>>> - Firewall and SELinux should be disabled.
>>>> Bad advice.
>>> this page also configures unsafe imap and pop settings. People should
>>> always enable only ssl-enabled versions of imap and pop only.
>>
>> Just don't open those ports. Then they only work locally. For imap, that
>> works well with the local imap webmail software.
>>
>> Why should a local squirelmail or roundcube server have to go through SSL to
>> the local dovecot server?
> why not? it is always wise to use encrypted protocols, when possible.
If the system is so hacked that there is a risk of snooping on
localhost, you have larger issues.
And I develop cryptographic protocols. RIght now I am off to the IETF
meeting. I understand what encrypted protocols give and what they
don't. In this case, the user is validating the webmail cert for their
TLS connection to webmail. They don't even see the dovecot cert. maybe
it is the same cert or maybe not. But the point is it never gets to the
user domain for validation.
Further, it may well be the case that webmail uses a single TLS channel
to dovecot for all users? Would have to look into that.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
