OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron Jackson (jacksonnegril.msrce.howard.edu)
Date: Thu Feb 08 2001 - 15:53:45 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I set this up at work (secure imap and pop) for a 7,000 (and growing) user
    email system using stunnel. In my opinion this is the easiest way to do
    this. Thus far, I haven't had any problems with stunnel. The commercial
    pop and imap software is a different story...

    On Thu, 8 Feb 2001, Matthew Weigel wrote:

    > Hi,
    >
    > > Hello -
    > > Can someone please point me to a resource or explain how I can secure
    > > pop/imap service using sshd, port forwarding and/or other alternatives
    > > that can be implemented on obsd system. Here is what I got so far. APOP.
    >
    > This is something I'm currently looking into myself. Most of my
    > experience is with IMAP, so that's what I'll discuss. I'm still
    > something of a newbie with SSL, so if my understanding is incorrect
    > I'm sure someone will correct me posthaste :)
    >
    > Kerberized POP and IMAP are a possibility if you're already using
    > Kerberos, but it's arguable that the time cost of setting up a
    > Kerberos is too high. SSL-encrypted traffic has a lower time
    > investment requirement, but it requires getting a signed certificate
    > (or signing your own, which I don't think would stop MitM attacks).
    > OTOH, both clients and servers can be secured via stunnel without
    > any modification of the client.
    >
    > If your primary concern is plaintext authentication information (a
    > problem that Kerberos solves, even if you don't encrypt traffic), the
    > CRAM-MD5 authentication mechanism is a good possibility, although it
    > requires that the IMAP server have a plaintext version of users'
    > passwords available. MitM attacks won't get the password like it
    > can from an stunnel'ed plaintext authentication mechanism, but all
    > of the session activity is perfectly sniffable.
    >
    > I know uw-imapd supports both SSL and CRAM-MD5, and I'm pretty sure
    > that newer versions of Cyrus can support both as well. Both include
    > POP servers that support SSL and APOP as well, I believe. Cyrus, of
    > course, presumes a blackbox mail server, so it is reasonable for it
    > to have plaintext passwords for CRAM-MD5. However, uw-imapd requires
    > the file /etc/cram-md5.pwd to exist to use CRAM-MD5, and this is a
    > big security hole even if its mode is 0400: at least root, and possibly
    > anyone else who has the right to change users' mail passwords for
    > them, can probably get at the list. The uw-imapd distribution does
    > not include any extra utilities to do this opaquely.
    >
    > Questions are welcome off-list; corrections are welcome on-list :)
    > --
    > Matthew Weigel
    > Research Systems Programmer
    > mcweigel+cs.cmu.edu
    >
    >