thoughts on running an IMAP-over-SSL server exposed to the Internet?
florin at andrei.myip.org
Fri Mar 27 14:06:27 EDT 2009
Zachariah Mully wrote:
> I went to a talk by Dam Kaminsky of this past summers DNS exploit fame.
> If you want to be scared sh*tless about the potential security
> vulnerabilities of DNS, read up on his work. SSL does nothing.
Well, we're all gonna die of something, aren't we?
There are many attacks out there. You address what you can, do not
address what you cannot, cross your fingers and hope for the best.
> But on the more practical side. What exactly are you worried about?
> Someone rooting your machine through IMAP/Cyrus (never seen/heard of
> that done with any IMAP server, but please correct me if I'm wrong)?
> Getting access to your email? What?
The thing worrying me at this time is some stupid buffer overflow in the
IMAP server code. I have no idea what's the security history of this
server, even though I've been using it for quite a while, because it was
always in tightly controlled environments. Exposing it to the Internet
changes the game.
The reason why I'm not immediately jumping for the VPN solution is that
I already have a VPN in place, just not compatible with the iPhone.
Running two VPNs seems just silly. But maybe it is the right solution
> The biggest security problem I see (daily) is users.
In this case, there are only a couple users and I'm one of them, so I'm
not worried. (or maybe I should? heh heh)
More information about the Info-cyrus