Re: Imap server questions

To: debian-firewall@lists.debian.org
Subject: Re: Imap server questions
From: Vineet Kumar <debian-security@virtual.doorstop.net>
Date: Tue, 11 Sep 2001 09:56:08 -0700
Message-id: <20010911095608.G16423@doorstop.net>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <1000147911.20238.3.camel@forum>
References: <1000147911.20238.3.camel@forum>

* Michael Heldebrant (hmike@portalofevil.com) [010910 12:19]:
> 	I'm asking here (not debian-user) because I'm looking to set up a imap
> server behind my firewall which will be port forwarded from the firewall
> to an internal internet unrouteable ip address.  I'd like to know:
> 
> Which is the most secure way:
> 
> 1.  to authenticate myself to my server
> 
> 2.  to transfer the mail from the server
> 
> and which software packages should I focus on installing for the actual
> server and ssl layers ... etc ...

I can't really say which is best, but you have the option of using any
of the available *-imapd-*-ssl packages or any of the regular imap
packages combined with stunnel.

> I'm also curious i I only need to forward the imap and imap-ssl ports or
> if there are anymore that I need to worry about.  I'm fairly new to imap

I'd say just imap-ssl. Why leave open regular imap? That's like enabling
ssh and leaving telnet open as well. No good will come of that, unless
you're in a trusted environment.

Besides all that, you could even limit imap access to only those with a
shell account and ssh access by only having the imap server listening on
localhost and making users tunnel it through ssh. SSL is cleaner,
especially if you're talking about a server that multiple people will
actually be using (not just one for your own convenience). With ssl, the
windoze clients can access it easily as well.

I use stunnel on my client to access my SSL mail server. I created a
tunnel that listens on localhost pop3 and connects to my mailserver's
pop3s port, and the same for imap (localhost:imap => mailserver:imaps)
and configured any mail agents that are not ssl-aware to just connect to
and do their business with localhost. I have the tunnels set up at boot
with an /etc/init.d/stunnel script I rolled myself. The whole thing is
very clean, and secure enough for me. There's little chance that anyone
will be sniffing my mail password (which, incidentally, is not the same
as my system password).

In answer to your question #2, though, while using ssl will send
mail from the server to your client over an enciphered channel, those
same email messages have alreay been sent across the Internet in
plaintext. Securing their transfer for the final (usually shortest) leg
of their destination really doesn't gain you anything. If you don't want
other people reading your email, you need a good end-to-end privacy
system like gnupg.

Cheers,

-- 
Vineet                                   http://www.anti-dmca.org
Unauthorized use of this .sig may constitute violation of US law.
echo Qba\'g gernq ba zr\!             |tr 'a-zA-Z' 'n-za-mN-ZA-M'

Attachment: pgpWlYiPes9yc.pgp
Description: PGP signature

Reply to:

References:
- Imap server questions
  - From: Michael Heldebrant <hmike@portalofevil.com>

Prev by Date: port 80 filtered
Next by Date: Re: port 80 filtered
Previous by thread: Imap server questions
Next by thread: Re: Imap server questions
Index(es):
- Date
- Thread