diff options
| -rw-r--r-- | fetchmail-FAQ.html | 7 | ||||
| -rw-r--r-- | fetchmail.man | 11 |
2 files changed, 15 insertions, 3 deletions
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 51c58ad1..d4d0123e 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/10 21:20:33 $ +<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -1946,7 +1946,8 @@ an equal sign.<p> Fetchmail binaries built this way support <code>ssl</code>, <code>sslkey</code>, and <code>sslcert</code> options that control SSL encryption. You will need to have an SSL-enabled mailserver -to use these options. See the manual page for detals.<p> +to use these options. See the manual page for details and some words +of care on the limited security provided.<p> If your open OpenSSL session dies with a message that complains "PRNG not seeded", update or improve your operating system. This means that @@ -2966,7 +2967,7 @@ switching to IMAP and using a short expunge interval.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2001/02/10 21:20:33 $ +<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> diff --git a/fetchmail.man b/fetchmail.man index 737b92f9..a77926de 100644 --- a/fetchmail.man +++ b/fetchmail.man @@ -770,6 +770,17 @@ is not valid. Some servers may require client side certificates be signed by a recognized Certifying Authority. The format for the key files and the certificate files is that required by the underlying SSL libraries (OpenSSL in the general case). +.PP +Finally, a word of care about the use of SSL: While above mentioned +setup with self-signed server certificates retrieved over the wires +can protect you from a passive eavesdropper it doesn't help against an +active attacker. It's clearly an improvement over sending the +passwords in clear but you should be aware that a man-in-the-middle +attack is trivially possible (in particular with tools such as dsniff, +http://www.monkey.org/~dugsong/dsniff/). Therefore and if possible, +the use of an appropriately ssh tunnel (see below for some examples) +is preferable if you seriously care about the security of your +mailbox. .SH DAEMON MODE The |