thoughts on running an IMAP-over-SSL server exposed to the Internet?

Craig White craigwhite at azapple.com
Thu Mar 26 20:40:32 EDT 2009


On Thu, 2009-03-26 at 16:59 -0700, Florin Andrei wrote:
> I want to read my email on the iPhone. To do that, I have 2 options:
> 1. VPN
> 2. IMAP-over-SSL
> 
> #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but 
> the iPhone doesn't have an OpenVPN client. Running *two* VPN networks 
> seems excessive for a small personal server - not that the machine 
> cannot handle it, but it just feels too complicated for the task at hand.
> 
> #2 would be easy to implement, just poke a hole in the firewall for the 
> imaps port. But then there's the issue of security, of course.
> 
> I am running cyrus-imapd-2.3.7 on CentOS 5.x
> 
> How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the 
> big wild Internet?
> Do you see the SELinux confinement as a must-have in this context, or 
> are you okay with running it without any such MAC protections?
----
I expect it to be safe because I too have opened IMAPS ports for the
various clients that I have who want to use their iPhone's and
Blackberry's, etc.

That also means that I have had to implement SMTP auth so that they can
send e-mail too.

I have faith that these are daemons (cyrus and postfix) that can
withstand attacks but every port you open is another attack vector on
your system.

Craig



More information about the Info-cyrus mailing list