Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
while learning some postfix basics, I realize, that plain and login are extremely poor authentication methods if used without encryption, since in both cases username and passwords are sent over the network in cleartext.
Now, I am thinking about the general security standard. Most people around me don't use TLS for thir e-mail traffic. And e-mail service providers don't encourage their customers to much to do so.
Do I conclude correct, that most of our e-mail traffic is highly exposed to the "dark side of the web" - meaning hackers, crackers, identity thiefs?
And why do bad things happen not that often?
I really like to hear, what you think about this.
And what do you to make e-mail traffic more secure?
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
You never get spam with 'From:' address that you know (unrelated to source of spam, surely)? You are lucky. I would not call that "that good". And full-scale password theft is not easy enough to pay back: you have to sniff traffic, it is pretty much work to do - compared to sending with fake 'From:'.
Sure, I have tons of mails with faked sender addresses in my inbox day by day. But a gathered login opens a server for full relay. Admins do so much work to seal servers, maintain blacklists, carefull user management and so on. In opposition to all this work, the authentication mechanisms seem to be kind of weak.
With growing use of imap, stolen passwords open access to possible sensible information, too.
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
To get password through weak authentication, you need to have control over a box that is close - in sense of network topology - to victim. And yes, thanks to MAC-cache in switch, you have to do extra work to intercept anything not intended for you to see. To send a virus - and you get a lot of sensitive information, and surely all passwords that are stored unencrypted or simply entered from keyboard - you need only user being unfamiliar with computer security and running some rogue programs he got in unsolicited e-mail (that means 90+ % of users - thanks to Microsoft for protecting me by converting into too hard a target to hit regardless all my guessable passwords)
Now you get more for less effort. Will you accept the offer?
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
The plain authentication isn't really an issue in most cases, and if you think about it any authentication is really vulnerable to at least a replay attack if it's sent over an unencrypted channel.
The cases when unencrypted authentication matters:
1.) Wireless
2.) Corporate network
3.) Unprotected loop networks, such as cable modems
The first should be obvious. With the second, it's possible that a sufficiently clever, malicious insider could snoop credentials for other individuals and use them to perform harmful activities. Third, all the original cable modem infrastructure had your local loop as basically a giant hub with the packets being broadcast around. You could simply put your NIC in promiscuous mode and pickup all the traffic. The cable companies tried to crack down a little by putting new firmware on the modems that ignore packets not meant for their MAC, but people found out that they could flash the firmware to remove that restriction. I think the current cable spec has better controls built-in, but a lot of deployments might still be using legacy equipment and standards.
It's always a good idea to setup your e-mail accounts with TLS when possible, only log in to webmail with HTTPS, etc.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.