thoughts on running an IMAP-over-SSL server exposed to the Internet?

Zachariah Mully zmully at smartbrief.com
Fri Mar 27 09:46:08 EDT 2009


On Thu, 2009-03-26 at 16:59 -0700, Florin Andrei wrote:
> I want to read my email on the iPhone. To do that, I have 2 options:
> 1. VPN
> 2. IMAP-over-SSL
> 
> #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but 
> the iPhone doesn't have an OpenVPN client. Running *two* VPN networks 
> seems excessive for a small personal server - not that the machine 
> cannot handle it, but it just feels too complicated for the task at hand.
> 
> #2 would be easy to implement, just poke a hole in the firewall for the 
> imaps port. But then there's the issue of security, of course.
> 
> I am running cyrus-imapd-2.3.7 on CentOS 5.x
> 
> How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the 
> big wild Internet?
> Do you see the SELinux confinement as a must-have in this context, or 
> are you okay with running it without any such MAC protections?
> 

I went to a talk by Dam Kaminsky of this past summers DNS exploit fame.
If you want to be scared sh*tless about the potential security
vulnerabilities of DNS, read up on his work. SSL does nothing. 

But on the more practical side. What exactly are you worried about?
Someone rooting your machine through IMAP/Cyrus (never seen/heard of
that done with any IMAP server, but please correct me if I'm wrong)?
Getting access to your email? What? 

The biggest security problem I see (daily) is users. I'd love to deploy
two-factor auth, but that's not possible right now.

Z



More information about the Info-cyrus mailing list