OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: IMAP- how to protect a server?

Re: IMAP- how to protect a server?

Carric Dooley (carriccom2usa.com)
Sat, 5 Jun 1999 01:10:42 -0400

I have been watching this thread... and I can't see how SSL protects the
server. That would protect (to a degree) the content of the e-mail and
users passwords to the server, but not the server itself. If you are
talking about the buffer overflows like the ones that seem to keep cropping
up in IMAP servers on Linux, the only real way to keep that server safe is
to keep your daemon at the latest rev, and hope to god you are not the
target when a new exploit for that version is discovered. There is only so
much one can do...

-----Original Message-----
From: chuck <fwwizyerkes.com>
To: Aaron D. Turner <aturnervicinity.com>; Ge' Weijers
<geprogressive-systems.com>
Cc: firewall-wizardsnfr.net <firewall-wizardsnfr.net>
Date: Friday, June 04, 1999 2:58 PM
Subject: Re: IMAP- how to protect a server?

>I should know this, but does Kerberized IMAP encrypt the whole
>connection? I imagine it does, but can someone say for sure?
>
>Given that SSL might be an option (I dunno about the laws regarding
>taking encryption out of the country - even if you brought it in), I'd
>be looking hard at that. Yeah, you might want your IMAP server on an
>protected, isolated DMZ segment given that it will be touched by
>outside and inside traffic.
>
>Somehow, you want the authentication, and ideally the data, encoded.
>
>You might also want a CERT server to give the users certs. The NICE
>thing might be a smart card, but OS's generally don't come with support
>for authentication/certs living on a separate device.
>
>
>So, in short, if not kerberos, IMAP over SSL is a known beast.
>Netscape's IMAP server runs it just fine out of the box. Dunno about
>others. You get CERTs to your remote users, you end up with STelnet
>and, perhaps, SMTP/SSL. Me? I'd still use strong authentication for
>telnet and the like, but I like that the channel is secured and that I
>can revoke privs from a central place.
>
>chuck
>
>PS:
>If you bump into ITAR rules, feel free to write a physical letter to
>your congressman a note that you will have to buy software overseas and
>leave machines and software in your Euro office and wouldn't it be nice
>if you could actually buy from your own country and support the dying
>US encryption industry before it goes the way of TV manufacturing.
>(those of us in the US should likely do this regularly anyhow).
>
>Quoting Aaron D. Turner (aturnervicinity.com):
>>
>> Hmmm... I guess this brings up a good question. How good are the SSL
>> implimentations? My understanding was that SSL was pretty solid.
>> Sure I could give all my users SecurID tokens and SecuRemote to access
>> email, but I'm going to get a lot of phone calls at 3am from pissed
>> off Sales people traveling in Europe who lost it or forgot how to use
>> the dumb thing.
>>
>> Also, putting the IMAP server in a DMZ may protect my other servers
>> and it from them, but it doesn't solve the issue of securing the data
>> on the mail server itself. If the IMAP server has a buffer exploit
>> then I'm kinda hosed no? One person suggested a proxy to protect the
>> server, but then I got to thinking- how does the proxy inspect the
>> content of the packets if they're encrypted? Or does the fact that
>> the connection is encrypted make the buffer exploit moot?
>>
>> The more I think about it the more confused I get. I know some one on
>> the list has actually done this- secure an IMAP server (it's content
>> and the connection between it and the clients). It's not like IMAP is
>> some wacky unused protocol that only runs on Atari 2600's.
>

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:19:00 CDT