Restricting IMAP (143) port just for Squirrelmail?
Jonathan Marsden
jonathan at xc.org
Wed Jun 11 15:45:48 EDT 2003
On 11 Jun 2003, Mark London writes:
> I would like to restrict Cyrus to only allow users to use IMAPS, not
> plain IMAP. However, I was told that would break Squirrelmail,
> unless I opened access to IMAP (port 143) for the node that
> Squirrelmail was running on.
Iptables would probably be the most common way to achieve this sort of
restriction.
> But I'm running XINETD on Redhat, and I've read Cyrus doesn't use
> that. I would need another TCP wrapper program ...
Not really, as others have said already. Either configure cyrus to
use tcp-wrappers, or use iptables to restrict the data flow instead of
a wrapper.
> ..., or is there an easier way to do it?
You could set up Cyrus to only allow IMAPS access, and then use
stunnel on the squirrelmail machine to do the SSL/TLS tunneling for
it. That way, no 'special' permissions would be needed on the cyrus
server at all, from the cyrus perspective squirrelmail would use IMAPS
just like other IMAPS clients. How this would impact performance
(many SSL tunnels being created, when squirrelmail gets busy) is
something you'd need to think about.
Overall, which way (iptables, compiling cyrus to use a wrapper, or
stunnel) is 'easier' depends on what software you are comfortable
with...
Which way is more secure against whatever threats you believe exist is
probably a useful question to ask yourself, too (or else why bother
with IMAPS at all!). If the Squirrelmail to Cyrus traffic can be
sniffed by 'the bad guys', then IMO you need something to protect the
accountname/password information and the email itself from such
snooping, so stunnel on the Squirrelmail box (and 100% IMAPS only on
the Cyrus server) might be appropriate.
Jonathan
--
Jonathan Marsden | Internet: jonathan at xc.org | Making electronic
1252 Judson Street | Phone: +1 (909) 795-3877 | communications work
Redlands, CA 92374 | Fax: +1 (909) 795-0327 | reliably for Christian
USA | http://www.xc.org/jonathan | missions worldwide
More information about the Info-cyrus
mailing list