Date: Fri, 30 May 2003 23:04:11 -0400 From: Larry Sica <lomion@mac.com> To: Nik Clayton <nik@freebsd.org> Cc: "'freebsd-chat@freebsd.org'" <freebsd-chat@freebsd.org> Subject: Re: preferred email system Message-ID: <8DA36D2D-9314-11D7-8F37-000393A335A2@mac.com> In-Reply-To: <20030530231441.GD55077@clan.nothing-going-on.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Friday, May 30, 2003, at 07:14 PM, Nik Clayton wrote: > On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote: >>> Don't use the IMAP. Configure an MTA and where you can have mail >>> delivered >>> direct. Where it needs to come off a remote mail server, grab a copy >>> of >>> fetchmail and make it do it's voodoo. Having an MTA on your local >>> machine >>> for just you is not just luxury - it's why you have Unix. :-) >>> >> >> You run into one possible problem here. What if your ISP filters the >> port incoming? Then you cannot access it remotely. Plus then you >> have >> to make sure you keep on top of any possible holes/bugs/spammers. I >> don't like running services out of my house unless I need to, mostly >> because I don't have the time. > > The simple solution to this is to firewall off all the ports, and > configure the app (the IMAP daemon, in this case) to only listen on > localhost/127.0.0.1. Then set up SSH port forwarding. > > I do this, so the schematic looks something like: > Yes you can do this. It comes down to if you have the time or will heh. I have attempted to reduce the systems in my house to as few as possible for various reasons right now. In my case it's easier to just have a hosting provider. What about AUP's? That is the real gotcha I guess. > `---------------------------------' > > The beauty of this is that it works for any protocol[1], irrespective > of > whether or not the protocol has built in security support, or whether > or > not you want to go through the hassle of configuring it (e.g., most > IMAP > servers speak SSL, but you need to make sure the client and server > interoperate). > yes, IMAP w/ ssl is nice. I use it where i can. I wish dotmac did it. > It also works pretty much anywhere, as long as you can reach port 22 on > the Internet facing side of your server[2] -- no IPSec to configure, or > other bits to worry about. And it works on any OS that has an SSH port > forwarding app, which, apart from the *nix's, includes things like > Windows, if that's important to you. > true. This would be trivial from my laptop..a tibook. SSHAgent is an app that does it for me w/o hassle. > With this approach you need precisely one hole in the firewall for > inbound traffic (port 22), and you need to trust exactly one daemon, > sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3], > because the outside world can't get to them to exploit them. > true. I'd use getmail over fetchmail tho. > N > > [1] OK, sensibly designed protocols only. Things like FTP in non-PASV > mode don't count... > heh ok. I agree. > [2] For example, you'd be surprised how many of those "Internet access > in your hotel room" services will block ports 80 and 110 until > you've paid the $20 a day charge, but leave port 22 open... > I've never had that, places i've stayed if they had ethernet in the room didnt block ports unless i paid. > [3] Or at least, don't matter as much. Obviously, if your IMAP server > has an exploitable hole that gives the attacker root privs, *and* > there's an ssh hole such that untrusted users can log in in order > to then exploit the IMAP hole, all bets are off. > Well cascading vuln is bad. I'd still patch as needed just in case. --Larry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8DA36D2D-9314-11D7-8F37-000393A335A2>