thoughts on running an IMAP-over-SSL server exposed to the Internet?

Florin Andrei florin at
Fri Mar 27 14:06:27 EDT 2009

Zachariah Mully wrote:
> I went to a talk by Dam Kaminsky of this past summers DNS exploit fame.
> If you want to be scared sh*tless about the potential security
> vulnerabilities of DNS, read up on his work. SSL does nothing.

Well, we're all gonna die of something, aren't we?

There are many attacks out there. You address what you can, do not 
address what you cannot, cross your fingers and hope for the best.

> But on the more practical side. What exactly are you worried about?
> Someone rooting your machine through IMAP/Cyrus (never seen/heard of
> that done with any IMAP server, but please correct me if I'm wrong)?
> Getting access to your email? What?

The thing worrying me at this time is some stupid buffer overflow in the 
IMAP server code. I have no idea what's the security history of this 
server, even though I've been using it for quite a while, because it was 
always in tightly controlled environments. Exposing it to the Internet 
changes the game.

The reason why I'm not immediately jumping for the VPN solution is that 
I already have a VPN in place, just not compatible with the iPhone. 
Running two VPNs seems just silly. But maybe it is the right solution 
after all.

> The biggest security problem I see (daily) is users.

In this case, there are only a couple users and I'm one of them, so I'm 
not worried. (or maybe I should? heh heh)

Florin Andrei

More information about the Info-cyrus mailing list