thoughts on running an IMAP-over-SSL server exposed to the Internet?
brong at fastmail.fm
Fri Mar 27 20:01:43 EDT 2009
On Thu, Mar 26, 2009 at 04:59:07PM -0700, Florin Andrei wrote:
> I want to read my email on the iPhone. To do that, I have 2 options:
> 1. VPN
> 2. IMAP-over-SSL
> #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but
> the iPhone doesn't have an OpenVPN client. Running *two* VPN networks
> seems excessive for a small personal server - not that the machine
> cannot handle it, but it just feels too complicated for the task at hand.
> #2 would be easy to implement, just poke a hole in the firewall for the
> imaps port. But then there's the issue of security, of course.
> I am running cyrus-imapd-2.3.7 on CentOS 5.x
> How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the
> big wild Internet?
> Do you see the SELinux confinement as a must-have in this context, or
> are you okay with running it without any such MAC protections?
We don't actually use SSL directly within Cyrus, instead using nginx
with SSL on our frontend servers, proxying to the backends. This is
mainly for load balancing, but it does also mean that the nginx server
can be run with zero privileges for anything else.
It doesn't give any protection from authenticated users (once the login
is finished, the traffic is just directly proxied to the backend), but
it does mean unauthenticated users don't have direct access to the cyrus
If you're paranoid, that might be worth doing!
That said, like everyone else has mentioned - Cyrus has been around for
a long time, and has a good security track record.
More information about the Info-cyrus