LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Stunnel and Sendmail (https://www.linuxquestions.org/questions/linux-security-4/stunnel-and-sendmail-18763/)

mikeyt_333 04-17-2002 03:31 PM
Stunnel and Sendmail
 
I am looking at securing my sendmail using stunnel. From what I have read it seems to be fairly straight forward, but I don't understand some things.

The way I understand mail transport, it will go from my home system to my mail server (which I am configing to use stunnel), then my mail server will locate the destination server, negotiate and send the mail. Once the mail is sitting on the destination server, the recipient will then either through web based, or pop3, pickup the email. My question is, doesn't the secure transmission thus end the moment my mail server begins negotiation with the destination server (assuming the destination isn't using secure SMTP.) If this is the case, how can I get around this, is the only way through Public/Private Key? Thanks in advance!

Mike.

mikeyt_333 04-17-2002 05:33 PM
Mail security
 
K, in your opinion do you think this scenario is secure:

I have a webstore program that sends orders via SMTP to users on the server it is running on. Doesn't that mean that it never actually leaves the server, and is secure as a result, as far as people not having access to it, as long as there isn't a hack or other form of intrusion.

TIA
Mike.

unSpawn 04-17-2002 05:33 PM
Re: Stunnel and Sendmail
 
(..)My question is, doesn't the secure transmission thus end the moment my mail server begins negotiation with the destination server (assuming the destination isn't using secure SMTP.) If this is the case, how can I get around this, is the only way through Public/Private Key?(..)
If the remote side doesn't want SSLified traffic you're right, it ends at your SMTP server. Message encryption IMO is the only way because SSLifying shields only traffic, not storage, and can't do sender/msg verification on retrieval.
*Btw, I've seen a pkg doin GPG automatic signing tru sendmail (not tru a MUA), but I haven't been able to tinker with it, and I don't know if this could be used on multi-user hosts.

unSpawn 04-17-2002 06:39 PM
Re: Mail security
 
Quote:
Originally posted by mikeyt_333
K, in your opinion do you think this scenario is secure:

I have a webstore program that sends orders via SMTP to users on the server it is running on. Doesn't that mean that it never actually leaves the server, and is secure as a result, as far as people not having access to it, as long as there isn't a hack or other form of intrusion.

TIA
Mike.
/* Hmm. tried to merge these two threads as I'm sure this was your reply, but somehow the reply got stuck in the middle :-] */

Now for an answer I couldn't say it's secure without checking all the gory details, but if the webstore's scripts are checked for exploits/vulnerabilities, possibly using SMTP listening on the local interface with a restricted config, preferable w/o regular user shell accounts, and not doubling as server for the usual suspects of vulnerable services I'd say you've taken some steps ensure integrity, but I'm sure I'm forgetting some.


All times are GMT -5. The time now is 05:42 AM.