Hello Oli,

 AI>> They do, and both mailers work very well with that encryption. Do
 AI>> mailers that support CRYPT need to negotiate a session and
 AI>> exchange passwords before the session can be encrypted?

 Ol> Yes, you need a shared session password. It's also not a completely
 Ol> encrypted transmission.

This was a good start at the time it was implemeneted.

 AI>> Mystic has the ability to encrypt binkp sessions also (it uses
 AI>> cryptlib) although it hasn't fully matured and needs work.

 Ol> AFAIK it uses opportunistic TLS (like STARTTLS). The Internet is
 Ol> moving away from opportunistic encryption (RFC 8314, "Cleartext
 Ol> Considered Obsolete"). Mystics implementation is already a lame duck.

 Ol> https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigat
 Ol> ions

Yes, James said that he used this method as a start because we still need to
use the current method when encryption is not supported at both sides of the
link. The idea (when it's possible) is to move away from opportunitic TLS.

 AI>> Would binkp over TLS (or really, any secure method) be a good
 AI>> thing?

 Ol> Why wouldn't it? :)

I can't think of a reason. If we could get something to test we could discover
what works, what doesn't, and in time a standard method of doing this could be
established.

Then the FTSC could publish a standard. :)

 Ttyl :-),
         Al

--- GoldED+/LNX 1.1.5-b20180707