Re: IMAP- how to protect a server?

jacob carlson (twitchifsec.com)
Thu, 3 Jun 1999 09:37:42 -0400

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Adam Shostack: "Re: Firewall RISKS"
• Previous message: Steven M. Bellovin: "Re: Firewall comparison in Data Communications"
• Next in thread: Ge' Weijers: "Re: IMAP- how to protect a server?"

On Jun 01, Aaron D. Turner wrote:
>
> Currently our company uses POP3 for email (yuck) with a box in the DMZ
> proxying traffic to the internal mailserver through a FW-1 box.
>
> Anyways, I'm trying to come up with the best way to deploy an IMAP/SSL
> server to replace POP3.
>
> The thing is that we consider are trying our best to secure the email
> from would-be unfriendlies, and I'd rather not have the mail folders
> sitting in the DMZ. And of course, I don't want to punch a hole
> through the firewall and put the IMAP server on the internal network.
> NFS between a IMAP server in the DMZ and the mail folder server
> in the Internal net isn't a good idea either.
>
> So what is the 'proper' way of doing this?

I am assuming that you have users that want to be able to get their mail
from the Internet, right? If so then unfortunately the best(?) way to
accomplish this ridiculousness with fw-1 is via either (a) SecuRemote (which
has its own problems I do not want to even address here) or (b) putting the
IMAP server in a secured DMZ and allowing IMAP traffic to pass only after
authenticating to the firewall (using some non-trivial authentication
mechanism, e.g. s/key, SecurID, /etc.). And yes, doing it over SSL is a
Good Idea.

> Also, can anyone recommend a powerful, secure, compliant IMAP server?

I cannot =).

->me

• Next message: Adam Shostack: "Re: Firewall RISKS"
• Previous message: Steven M. Bellovin: "Re: Firewall comparison in Data Communications"
• Next in thread: Ge' Weijers: "Re: IMAP- how to protect a server?"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:59 CDT