imap - openSUSE Security - openSUSE Mailing Lists

imap

older
harden_sues and SSH

Patrick Mairif

14 Feb 2002 14 Feb '02

13:11

Hello, from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd What does this mean? Why is it insecure? Is there a secure way to run an imap-server? patrick!

Attachments:

attachment.sig (application/pgp-signature — 240 bytes)

Reply

Sign in to reply online Use email software

Show replies by date

Christopher John Shaker

14 Feb 14 Feb

19:42

New subject: [suse-security] imap

Patrick: The standard IMAPD is unsecure in a lot of ways. For one thing, you'll want to use a more secure authentication method, which doesn't put your user name and password on the net in plain text. Probably, you'll also want to use SSL or TLS to encrypt your imap connection. I use the Courier IMAPd, with Maildir support, with SSL protection configured. See: http://www.inter7.com/courierimap/. See also http://www.courier-mta.org/. Postfix, which SuSE supports directly, is easily configured to use Maildir instead of mbox. Qmail also supports Maildir directly. There is a lot of good information available from the qmail web site: http://qmail.valueclick.com/top.html#addons Chris Shaker ----- Original Message -----

From: "Patrick Mairif" To: Sent: Thursday, February 14, 2002 5:11 AM Subject: [suse-security] imap

Hello,

from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd

What does this mean? Why is it insecure? Is there a secure way to run an imap-server?

patrick!

Reply

Sign in to reply online Use email software

Michael Salmon

15 Feb 15 Feb

07:21

New subject: [suse-security] imap

On Thursday, February 14, 2002 11:42:33 AM -0800 Christopher John Shaker wrote: +------ | Patrick: | | The standard IMAPD is unsecure in a lot of ways. For one thing, | you'll want to use a more secure authentication method, which | doesn't put your user name and password on the net in plain text. | Probably, you'll also want to use SSL or TLS to encrypt your | imap connection. | | I use the Courier IMAPd, with Maildir support, with SSL | protection configured. See: http://www.inter7.com/courierimap/. | See also http://www.courier-mta.org/. Postfix, which SuSE | supports directly, is easily configured to use Maildir instead of | mbox. Qmail also supports Maildir directly. | | There is a lot of good information available from the qmail | web site: http://qmail.valueclick.com/top.html#addons [...] +-----X8 I personally was unaware that there was a standard IMAPD. If you mean UW IMAPD then I have to agree that it has had problems, cyrus imapd (also on the SuSE CD's) on the otherhand has not had a problem that I can recall. The latest versions support SASL and TLS, although you can always use stunnel. /Michael -- This space intentionally left non-blank.

Reply

Sign in to reply online Use email software

Michael Appeldorn

07:47

New subject: [suse-security] imap

I personally was unaware that there was a standard IMAPD. If you mean UW IMAPD then I have to agree that it has had problems, cyrus imapd (also on the SuSE CD's) on the otherhand has not had a problem that I can recall.

But me - so we had on http://www.suse.com/en/support/download/updates/72_i386.html 07 Jan 2002 cyrus-sasl 1.5.24 184 kB sec1 cyrus-sasl-1.5.24-184.src.rpm Security Update! 10 Dec 2001 cyrus-imapd 2.0.16 1716 kB n2 cyrus-imapd-2.0.16-115.src.rpm Security Update! May be all fixed now - may be not :O)_ Michael Appeldorn

Reply

Sign in to reply online Use email software

Christopher John Shaker

10:12

New subject: [suse-security] imap

Michael: Yes, I was referring to UW Imapd as the 'standard' imapd. Yes, stunnel works fine, too, with Outlook Express clients. I used to use that with UW Imapd. I had tried using Cyrus imapd at one point, and was having authentication problems. Found Courier imapd to be easy to build, install, configure, and use with SSL, with Netscape and Outlook Express clients. Chris Shaker

I personally was unaware that there was a standard IMAPD. If you mean UW IMAPD then I have to agree that it has had problems, cyrus imapd (also on the SuSE CD's) on the otherhand has not had a problem that I can recall. The latest versions support SASL and TLS, although you can always use stunnel.

/Michael

Reply

Sign in to reply online Use email software

Patrick Mairif

18 Feb 18 Feb

11:17

New subject: [suse-security] imap

thank you all, for the information! I just downloaded the cyrus-imapd-2.0.16-115 and found the following description of the package: Description: As a result of a wrong patch applied by SuSE, it is possible to login as anonymous user even if anonymous login is switched off. What does this mean? As a description of the package I would believe that the downloaded package is buggy! Or does it mean that this package fixes this error?

Reply

Sign in to reply online Use email software

Michael Stern

13:11

New subject: [suse-security] imap

download and install it. then connect to your imap server and login anonymously by typing telnet 127.0.0.1 143 x login anonymous some@e.mail x logout if the server responds with "x OK ..." the package is buggy and you better get it off your computer or start blocking port 143 from the net. kind regards, michael

Reply

Sign in to reply online Use email software

Christopher John Shaker

14 Feb 14 Feb

19:42

New subject: [suse-security] imap

Patrick: The standard IMAPD is unsecure in a lot of ways. For one thing, you'll want to use a more secure authentication method, which doesn't put your user name and password on the net in plain text. Probably, you'll also want to use SSL or TLS to encrypt your imap connection. I use the Courier IMAPd, with Maildir support, with SSL protection configured. See: http://www.inter7.com/courierimap/. See also http://www.courier-mta.org/. Postfix, which SuSE supports directly, is easily configured to use Maildir instead of mbox. Qmail also supports Maildir directly. There is a lot of good information available from the qmail web site: http://qmail.valueclick.com/top.html#addons Chris Shaker ----- Original Message -----

From: "Patrick Mairif" To: Sent: Thursday, February 14, 2002 5:11 AM Subject: [suse-security] imap

Hello,

from /etc/inetd.conf: # Imapd - Interactive Mail Access Protocol server # Attention: This service is very insecure # imap stream tcp nowait root /usr/sbin/tcpd imapd

What does this mean? Why is it insecure? Is there a secure way to run an imap-server?

patrick!

Reply

Sign in to reply online Use email software

8105

Age (days ago)

8109

Last active (days ago)

Download

7 comments

5 participants

tags

participants (5)

Christopher John Shaker
Michael Appeldorn
Michael Salmon
Michael Stern
Patrick Mairif