Hello, from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd What does this mean? Why is it insecure? Is there a secure way to run an imap-server? patrick!
Patrick: The standard IMAPD is unsecure in a lot of ways. For one thing, you'll want to use a more secure authentication method, which doesn't put your user name and password on the net in plain text. Probably, you'll also want to use SSL or TLS to encrypt your imap connection. I use the Courier IMAPd, with Maildir support, with SSL protection configured. See: http://www.inter7.com/courierimap/. See also http://www.courier-mta.org/. Postfix, which SuSE supports directly, is easily configured to use Maildir instead of mbox. Qmail also supports Maildir directly. There is a lot of good information available from the qmail web site: http://qmail.valueclick.com/top.html#addons Chris Shaker ----- Original Message -----
From: "Patrick Mairif"
To: Sent: Thursday, February 14, 2002 5:11 AM Subject: [suse-security] imap Hello,
from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd
What does this mean? Why is it insecure? Is there a secure way to run an imap-server?
patrick!
On Thursday, February 14, 2002 11:42:33 AM -0800 Christopher John Shaker
I personally was unaware that there was a standard IMAPD. If you mean UW IMAPD then I have to agree that it has had problems, cyrus imapd (also on the SuSE CD's) on the otherhand has not had a problem that I can recall.
But me - so we had on http://www.suse.com/en/support/download/updates/72_i386.html 07 Jan 2002 cyrus-sasl 1.5.24 184 kB sec1 cyrus-sasl-1.5.24-184.src.rpm Security Update! 10 Dec 2001 cyrus-imapd 2.0.16 1716 kB n2 cyrus-imapd-2.0.16-115.src.rpm Security Update! May be all fixed now - may be not :O)_ Michael Appeldorn
Michael: Yes, I was referring to UW Imapd as the 'standard' imapd. Yes, stunnel works fine, too, with Outlook Express clients. I used to use that with UW Imapd. I had tried using Cyrus imapd at one point, and was having authentication problems. Found Courier imapd to be easy to build, install, configure, and use with SSL, with Netscape and Outlook Express clients. Chris Shaker
I personally was unaware that there was a standard IMAPD. If you mean UW IMAPD then I have to agree that it has had problems, cyrus imapd (also on the SuSE CD's) on the otherhand has not had a problem that I can recall. The latest versions support SASL and TLS, although you can always use stunnel.
/Michael
thank you all, for the information! I just downloaded the cyrus-imapd-2.0.16-115 and found the following description of the package: Description: As a result of a wrong patch applied by SuSE, it is possible to login as anonymous user even if anonymous login is switched off. What does this mean? As a description of the package I would believe that the downloaded package is buggy! Or does it mean that this package fixes this error?
download and install it. then connect to your imap server and login anonymously by typing telnet 127.0.0.1 143 x login anonymous some@e.mail x logout if the server responds with "x OK ..." the package is buggy and you better get it off your computer or start blocking port 143 from the net. kind regards, michael
Patrick: The standard IMAPD is unsecure in a lot of ways. For one thing, you'll want to use a more secure authentication method, which doesn't put your user name and password on the net in plain text. Probably, you'll also want to use SSL or TLS to encrypt your imap connection. I use the Courier IMAPd, with Maildir support, with SSL protection configured. See: http://www.inter7.com/courierimap/. See also http://www.courier-mta.org/. Postfix, which SuSE supports directly, is easily configured to use Maildir instead of mbox. Qmail also supports Maildir directly. There is a lot of good information available from the qmail web site: http://qmail.valueclick.com/top.html#addons Chris Shaker ----- Original Message -----
From: "Patrick Mairif"
To: Sent: Thursday, February 14, 2002 5:11 AM Subject: [suse-security] imap Hello,
from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd
What does this mean? Why is it insecure? Is there a secure way to run an imap-server?
patrick!
participants (5)
-
Christopher John Shaker
-
Michael Appeldorn
-
Michael Salmon
-
Michael Stern
-
Patrick Mairif