RFC 3501 (Use of CAPABILITY in IMAP4S session)

I'm experimenting with the use of Perdition as an IMAP4S proxy in front
of a proprietary messaging system. Perdition will accept the IMAP4S
connection, then send unencrypted IMAP4 to the back-end messaging
system.

I'm a bit concerned, though, that the IMAP4S connection isn't
necessarily as secure as I would like. In particular, I am concerned
about the IMAP4 client sending authentication credentials before the
TLS connection has been established. I've been reviewing RFC 3501 in
an effort to verify that the IMAP4 client first sends a CAPABILITY
command before attempting to authenticate. If so, then Perdition will
return both the STARTTLS and LOGINDISABLED responses, indicating that
the TLS connection must first be established, then authentication will
be permitted.

Anyone have a clue on this one? Packet captures thus far have been
inconclusive...although this may be due to my inexperience with tcpdump.

TIA.

--
Scott Lowe



Scott Lowe

On 05/15/2005 05:29 AM, Scott Lowe wrote:
> I'm experimenting with the use of Perdition as an IMAP4S proxy in front
> of a proprietary messaging system. Perdition will accept the IMAP4S
> connection, then send unencrypted IMAP4 to the back-end messaging system.
>
> I'm a bit concerned, though, that the IMAP4S connection isn't
> necessarily as secure as I would like. In particular, I am concerned
> about the IMAP4 client sending authentication credentials before the TLS
> connection has been established. I've been reviewing RFC 3501 in an
> effort to verify that the IMAP4 client first sends a CAPABILITY command
> before attempting to authenticate. If so, then Perdition will return
> both the STARTTLS and LOGINDISABLED responses, indicating that the TLS
> connection must first be established, then authentication will be
> permitted.
>
> Anyone have a clue on this one? Packet captures thus far have been
> inconclusive...although this may be due to my inexperience with tcpdump.

I think, Ethereal may help a lot; is more intutive as compared to tcpdump.

Inspired from a Net::SMTP Client Library in standard Ruby Libs, I've
developed Net::NNTP Client Library; plz have a look at detailed docs as
well as source at ...

Home: http://nntp.rubyforge.org/
Download: http://rubyforge.org/projects/nntp/

But implementation of some of the Authentication methods is incomplete
in both of the above packages. I have searched a number of RFC's and, or
drafts, but me too am clueless till yet.

I would love to hear from you on any further progress.

Regards,
--
Dr Balwinder Singh Dheeman Registered Linux User: #229709
CLLO (Chief Linux Learning Officer) Machines: #168573, 170593, 259192
Anu's Linux@HOME Distros: Ubuntu, Fedora, Knoppix
More: http://anu.homelinux.net/~bsd/ Visit: http://counter.li.org/