thoughts on running an IMAP-over-SSL server exposed to the Internet?

Raymond T. Sundland raymond at sundland.com
Fri Mar 27 14:14:15 EDT 2009


Whenever you open services to the internet, you're taking a chance.  
I've been running Cyrus IMAP open to the Internet for years and have 
never had any issues, but I may have just been lucky.

There are plenty of sources available for looking for the history of 
vulnerabilities for various software packages, including the change log 
for Cyrus.

If you can run selinux to protect it a bit more, why not?
If you can jail/chroot the processes, why not?

Anything you can do to limit the exposure to future problems puts you 
one step ahead of the rest.


Florin Andrei wrote:
> Zachariah Mully wrote:
>   
>> I went to a talk by Dam Kaminsky of this past summers DNS exploit fame.
>> If you want to be scared sh*tless about the potential security
>> vulnerabilities of DNS, read up on his work. SSL does nothing.
>>     
>
> Well, we're all gonna die of something, aren't we?
>
> There are many attacks out there. You address what you can, do not 
> address what you cannot, cross your fingers and hope for the best.
>
>   
>> But on the more practical side. What exactly are you worried about?
>> Someone rooting your machine through IMAP/Cyrus (never seen/heard of
>> that done with any IMAP server, but please correct me if I'm wrong)?
>> Getting access to your email? What?
>>     
>
> The thing worrying me at this time is some stupid buffer overflow in the 
> IMAP server code. I have no idea what's the security history of this 
> server, even though I've been using it for quite a while, because it was 
> always in tightly controlled environments. Exposing it to the Internet 
> changes the game.
>
> The reason why I'm not immediately jumping for the VPN solution is that 
> I already have a VPN in place, just not compatible with the iPhone. 
> Running two VPNs seems just silly. But maybe it is the right solution 
> after all.
>
>   
>> The biggest security problem I see (daily) is users.
>>     
>
> In this case, there are only a couple users and I'm one of them, so I'm 
> not worried. (or maybe I should? heh heh)
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.andrew.cmu.edu/pipermail/info-cyrus/attachments/20090327/f5ce8eb6/attachment.html 


More information about the Info-cyrus mailing list