thoughts on running an IMAP-over-SSL server exposed to the Internet?

Craig White craigwhite at
Thu Mar 26 20:40:32 EDT 2009

On Thu, 2009-03-26 at 16:59 -0700, Florin Andrei wrote:
> I want to read my email on the iPhone. To do that, I have 2 options:
> 1. VPN
> 2. IMAP-over-SSL
> #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but 
> the iPhone doesn't have an OpenVPN client. Running *two* VPN networks 
> seems excessive for a small personal server - not that the machine 
> cannot handle it, but it just feels too complicated for the task at hand.
> #2 would be easy to implement, just poke a hole in the firewall for the 
> imaps port. But then there's the issue of security, of course.
> I am running cyrus-imapd-2.3.7 on CentOS 5.x
> How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the 
> big wild Internet?
> Do you see the SELinux confinement as a must-have in this context, or 
> are you okay with running it without any such MAC protections?
I expect it to be safe because I too have opened IMAPS ports for the
various clients that I have who want to use their iPhone's and
Blackberry's, etc.

That also means that I have had to implement SMTP auth so that they can
send e-mail too.

I have faith that these are daemons (cyrus and postfix) that can
withstand attacks but every port you open is another attack vector on
your system.


More information about the Info-cyrus mailing list