AI>> They do, and both mailers work very well with that encryption. Do AI>> mailers that support CRYPT need to negotiate a session and AI>> exchange passwords before the session can be encrypted?
Ol> Yes, you need a shared session password. It's also not a completely Ol> encrypted transmission.
This was a good start at the time it was implemeneted.
AI>> Mystic has the ability to encrypt binkp sessions also (it uses AI>> cryptlib) although it hasn't fully matured and needs work.
Ol> AFAIK it uses opportunistic TLS (like STARTTLS). The Internet is Ol> moving away from opportunistic encryption (RFC 8314, "Cleartext Ol> Considered Obsolete"). Mystics implementation is already a lame duck.
Yes, James said that he used this method as a start because we still need to use the current method when encryption is not supported at both sides of the link. The idea (when it's possible) is to move away from opportunitic TLS.
AI>> Would binkp over TLS (or really, any secure method) be a good AI>> thing?
Ol> Why wouldn't it? :)
I can't think of a reason. If we could get something to test we could discover what works, what doesn't, and in time a standard method of doing this could be established.