Re: [suse-security] Secure IMAP-Server
At 12:57 15.09.00, Bob Vickers wrote:
Dear Jose,
If you use stunnel you can turn any IMAP server into a secure one. You run it on your server, it listens on the secure IMAP port and unencrypts the data before passing it to the ordinary insecure IMAP server.
Thanks a lot!! I´ve installed it, and it seems to work fine. Now I just have two beginners questions: 1. Tunneling through SSL means encrypting _everything_, including the authentication process (no plain text passwords flying throught the net) ? 2. Is it still possible to exploit a security bug of our IMAP server having the imap port closed to outside? I think the answers will be for 1. yes, and for 2. no, but want to be sure :)) Thanks again! JLT
Thanks a lot!! I´ve installed it, and it seems to work fine. Now I just have two beginners questions: 1. Tunneling through SSL means encrypting _everything_, including the authentication process (no plain text passwords flying throught the net) ?
SSL "wraps" the tcp connection. The endpoints actually don't know of the underlying cryptographical connection (as long as they don't query their sockets). They just rely on it. The answer is yes.
2. Is it still possible to exploit a security bug of our IMAP server having the imap port closed to outside?
Yes, if you can connect through the ssl tunnel/port.
I think the answers will be for 1. yes, and for 2. no, but want to be sure :))
Thanks again!
You're welcome.
JLT
Thanks,
Roman.
--
- -
| Roman Drahtmüller
At 17:14 15.09.00, Roman Drahtmueller wrote:
SSL "wraps" the tcp connection. The endpoints actually don't know of the underlying cryptographical connection (as long as they don't query their sockets). They just rely on it. The answer is yes.
2. Is it still possible to exploit a security bug of our IMAP server having the imap port closed to outside?
Yes, if you can connect through the ssl tunnel/port.
Ok, thanks again. Going back to my initial question about security issues of IMAP servers... I can remember to have read some when in the past a comment like "this service is very insecure!" above the imapd line in the inetd.conf of a SuSE-Linux installation. Is this still true? Has the standard imapd you ship with SuSE-Linux been developed with security in mind? Sorry, last question :) JLT
jose ... if you have a look at www.cert.org and do a search on imap you'll find the specific advisories on the issues with imap. -- michael On Fri, 15 Sep 2000, Jos? Luis Tinoco wrote:
Ok, thanks again. Going back to my initial question about security issues of IMAP servers... I can remember to have read some when in the past a comment like "this service is very insecure!" above the imapd line in the inetd.conf of a SuSE-Linux installation. Is this still true? Has the standard imapd you ship with SuSE-Linux been developed with security in mind?
Sorry, last question :) JLT
Ok, thanks again. Going back to my initial question about security issues of IMAP servers... I can remember to have read some when in the past a comment like "this service is very insecure!" above the imapd line in the inetd.conf of a SuSE-Linux installation. Is this still true? Has the standard imapd you ship with SuSE-Linux been developed with security in mind? Well, the UW IMAP has/had a very poor "reputation" from the security
On Fri, 15 Sep 2000, José Luis Tinoco wrote: point-of-view. AFAIK we use Cyrus IMAP for our SuSE eMail Server. best regards, Rainer Link -- Rainer Link, SuSE GmbH, eMail: link@suse.de, Web: www.suse.de Developer of A Mail Virus Scanner (AMaViS): http://amavis.org/ Founder of Linux AntiVirus Project: http://lavp.sourceforge.net/
participants (4)
-
José Luis Tinoco
-
Michael Galloway
-
Rainer Link
-
Roman Drahtmueller