[ingo] Sieve over SSL/TLS?

[Aleksandar Milivojevic]

Jan Schneider wrote:
> Zitat von alex at milivojevic.org:
> 
>>I've had a peek at Net_SIEVE module, and it seems it only parses the
>>capabilities and sets flag if STARTTLS is present in the list of
>>capabilities. Not sure if this just reflects future plans to add
>>support for it in Net_SIEVE,
>>or if applications using it can issue raw STARTTLS, handle TLS handshake
>>themself and provide callback functions for read/write (that would
>>encrypt/decrypt data stream, something like proftpd implements TLS).
> 
> While this would technically be possible, it would require to port a 
> complete TLS library to PHP, which is a bad idea IMO.

Hm, not sure if I understood this part.  There's really no difference 
when building SSL channel after connect, or building it after server 
acknowledges STARTTLS.  The SSL handshake that happens after STARTLS (in 
plaintext versions of protocols) is exactly the same thing as SSL 
handshake that happens after connection establishement in "s" versions 
of protocols.  So if it is possible to have SSL encrypted connection for 
IMAP protocol, I don't see why not SIEVE?

Couple of people suggested stunnel.  Yes, I know about it and I planned 
it as my next step (I also considered ssh tunneling, similar thing, but 
stunnel might be much better fit).  However, I'd rather do it natively 
if possible.  If nothing else, stunnel approach introduces two more 
daemons (one on each side) that need to run, two more points of failure, 
two more potentially exploitable points.