Date: Tue, 6 Nov 2001 13:41:05 -0500 From: Christopher Sean Hilton <chris@vindaloo.com> To: Mark Hughes <mh_lists@digitalspy.co.uk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IMAP server... Is there one? Message-ID: <20011106134105.A31427@andale.vindaloo.com> In-Reply-To: <200111061148.fA6Bm5593285@asylum.org>; from dave@asylum.org on Tue, Nov 06, 2001 at 12:03:07PM %2B0000 References: <Pine.GSO.4.31.0111061044050.17249-100000@mail.ilrt.bris.ac.uk> <Pine.LNX.4.33.0111061056460.10893-100000@www.digitalspy.co .uk> <200111061148.fA6Bm5593285@asylum.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Nov 06, 2001 at 12:03:07PM +0000, dave wrote:
> If you are that concerned about security then you need to run POP and IMAP
> using encrypted tunneling (ssh, stunnel, sslwrap) or compile them with SSL
> support. I just put a network sniffer on my network and realized why everyone
> kept saying these were very insecure protocols.
This turned out a little longer than I expected. You can skip to the 30,000
foot view but the explaination of the security warning on the imap-uw port:
"Problems with UWash Imapd" will be helpful.
*** How to choose and Imap daemon for *BSD ***
I'd double Dave's warning here and add that you may be to use imap-uw if you
have a better understanding of the its problems.
*** Problems with UWash Imapd ***
IMAP-UW has two problems. First the IMAP protocol is very insecure. The
biggest hole is that the IMAP protocol transmits username and password in
clear text over the network. This makes you vulnerable to sniffers and
affects all IMAP servers. The second problem is that the author of IMAP-UW,
Mark Crispin, has assumed most people who run imap-uw servers also allow
shell access to all of their mail users.
The IMAP protocol insecurity affects you regardless of what IMAP server you
use. To avoid these problems simply provide encrypted pop and imap and don't
provide an unecrypted version of these services. Note well that to do this
requires support of your mail clients.
The shell access problem only affects you if the 8-10 people who will be
getting mail on the box should not have access to the unix shell.
Specifically there were a number of buffer overflows identified in IMAP-UW
which would allow someone to get a shell from the IMAP server _after_ they
had authenticated. Mark Crispin argued that these were not big problems
because after authentication the imapd process assumed the user and group
ids of the username and password given for authentication. Thus, he argued,
the worst thing that could happen was that a user could authenticate and
employ the expoit to get a shell. Crispin erred by assuming that most people
who run imap servers also allowed their imap users to get shells through
telnet or ssh. While this was probably the case in when imap-uw was first
written it's probably not true now. Since you say that your users will be
using Pine to read their mail locally it appears that you will be
allowing shell access to all of your mail users. If this is the case then
imap-uw should be okay for your purposes.
*** What I actually run ***
Having said all of that, I agree with your paranoia about IMAP-UW. I have
not personnally searched the imap-uw code for exploits which happen before
authentication. An exploit of this type would allow root access to any
remote user so it is very dangerous. You could chroot to prevent this but it
appears that breaking out of a chroot jail once you have root is trivial.
More worrying is Mark Crispin's attitude when the exploits were found. He
said that the damage was limited to what people could do with their shell
accounts anyhow which indicated that he believed that most imap-uw allowed
shell access for their entire population of their mail users. You can read
this in any archive of bugtraq. The thread was: "response to the bugtraq
report of buffer overruns in imapd LIST command" was written around April
18th, 2000. For that reason I use and recommend Courier imapd. While not a
complete drop in replacement for imap-uw and sendmail it was reasonably
painless to setup courier. Note well that courier uses Maildir format for
mailboxes so you will have to either get Maildir support into sendmail or
use postfix or qmail.
*** 30,000 foot FreeBSD secure imap How-to ***
Chose what you are going to run. If it's okay for users to have shell
accounts and you can trust them to be very careful with their passwords then
imap-uw is probably the simplest thing for you. You will however have to
also install stunnel and find out how to use it to wrap the imap service in
an ssl blanket. There should be information on this on the net.
If on the other hand you don't want to have shell accounts or you are really
paranoid about imap-uw you can run Courier. You will first have to convince
your MTA (sendmail/qmail/postfix) to use maildir format. On a stock FreeBSD
box the easiest way to do this will be to replace sendmail with postfix or
qmail. In my experience replacing sendmail with postfix from the ports
collection so you can use Maildir will take about 2 man-hours. After that
you will have to install and configure courier. You want to do this with SSL
support enabled in both the pop3 and imap daemons. I remember this being
different since the configuration was not well documented so I would
estimate this at 4 ~ 6 man-hours. Finally also note that Pine may not
support Maildir for local mailboxes straight out of the box so you may have
to make the Maildir flavor of pine.
As always, YMMV
--
Chris Hilton chilton-at-vindaloo-dot-com
------------------------------------------------------------------------
"All I was doing was trying to get home from work!"
-- Rosa Parks
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011106134105.A31427>