* Michael Heldebrant (hmike@portalofevil.com) [010910 12:19]: > I'm asking here (not debian-user) because I'm looking to set up a imap > server behind my firewall which will be port forwarded from the firewall > to an internal internet unrouteable ip address. I'd like to know: > > Which is the most secure way: > > 1. to authenticate myself to my server > > 2. to transfer the mail from the server > > and which software packages should I focus on installing for the actual > server and ssl layers ... etc ... I can't really say which is best, but you have the option of using any of the available *-imapd-*-ssl packages or any of the regular imap packages combined with stunnel. > I'm also curious i I only need to forward the imap and imap-ssl ports or > if there are anymore that I need to worry about. I'm fairly new to imap I'd say just imap-ssl. Why leave open regular imap? That's like enabling ssh and leaving telnet open as well. No good will come of that, unless you're in a trusted environment. Besides all that, you could even limit imap access to only those with a shell account and ssh access by only having the imap server listening on localhost and making users tunnel it through ssh. SSL is cleaner, especially if you're talking about a server that multiple people will actually be using (not just one for your own convenience). With ssl, the windoze clients can access it easily as well. I use stunnel on my client to access my SSL mail server. I created a tunnel that listens on localhost pop3 and connects to my mailserver's pop3s port, and the same for imap (localhost:imap => mailserver:imaps) and configured any mail agents that are not ssl-aware to just connect to and do their business with localhost. I have the tunnels set up at boot with an /etc/init.d/stunnel script I rolled myself. The whole thing is very clean, and secure enough for me. There's little chance that anyone will be sniffing my mail password (which, incidentally, is not the same as my system password). In answer to your question #2, though, while using ssl will send mail from the server to your client over an enciphered channel, those same email messages have alreay been sent across the Internet in plaintext. Securing their transfer for the final (usually shortest) leg of their destination really doesn't gain you anything. If you don't want other people reading your email, you need a good end-to-end privacy system like gnupg. Cheers, -- Vineet http://www.anti-dmca.org Unauthorized use of this .sig may constitute violation of US law. echo Qba\'g gernq ba zr\! |tr 'a-zA-Z' 'n-za-mN-ZA-M'
Attachment:
pgpWlYiPes9yc.pgp
Description: PGP signature