From owner-freebsd-questions Tue Nov 6 10:43:37 2001 Delivered-To: freebsd-questions@freebsd.org Received: from fw.vindaloo.com (ool-182dd047.dyn.optonline.net [24.45.208.71]) by hub.freebsd.org (Postfix) with ESMTP id 1B46537B417 for ; Tue, 6 Nov 2001 10:43:33 -0800 (PST) Received: (from uucp@localhost) by fw.vindaloo.com (8.10.1/8.10.1) id fA6IhQu02326; Tue, 6 Nov 2001 13:43:26 -0500 (EST) Received: from andale.vindaloo.com(192.168.133.3) via SMTP by fw.vindaloo.com, id smtpdC24662; Tue Nov 6 13:43:24 2001 Received: by andale.vindaloo.com (Postfix, from userid 1000) id 507316184; Tue, 6 Nov 2001 13:41:06 -0500 (EST) Date: Tue, 6 Nov 2001 13:41:05 -0500 From: Christopher Sean Hilton To: Mark Hughes Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IMAP server... Is there one? Message-ID: <20011106134105.A31427@andale.vindaloo.com> References: <200111061148.fA6Bm5593285@asylum.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200111061148.fA6Bm5593285@asylum.org>; from dave@asylum.org on Tue, Nov 06, 2001 at 12:03:07PM +0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Nov 06, 2001 at 12:03:07PM +0000, dave wrote: > If you are that concerned about security then you need to run POP and IMAP > using encrypted tunneling (ssh, stunnel, sslwrap) or compile them with SSL > support. I just put a network sniffer on my network and realized why everyone > kept saying these were very insecure protocols. This turned out a little longer than I expected. You can skip to the 30,000 foot view but the explaination of the security warning on the imap-uw port: "Problems with UWash Imapd" will be helpful. *** How to choose and Imap daemon for *BSD *** I'd double Dave's warning here and add that you may be to use imap-uw if you have a better understanding of the its problems. *** Problems with UWash Imapd *** IMAP-UW has two problems. First the IMAP protocol is very insecure. The biggest hole is that the IMAP protocol transmits username and password in clear text over the network. This makes you vulnerable to sniffers and affects all IMAP servers. The second problem is that the author of IMAP-UW, Mark Crispin, has assumed most people who run imap-uw servers also allow shell access to all of their mail users. The IMAP protocol insecurity affects you regardless of what IMAP server you use. To avoid these problems simply provide encrypted pop and imap and don't provide an unecrypted version of these services. Note well that to do this requires support of your mail clients. The shell access problem only affects you if the 8-10 people who will be getting mail on the box should not have access to the unix shell. Specifically there were a number of buffer overflows identified in IMAP-UW which would allow someone to get a shell from the IMAP server _after_ they had authenticated. Mark Crispin argued that these were not big problems because after authentication the imapd process assumed the user and group ids of the username and password given for authentication. Thus, he argued, the worst thing that could happen was that a user could authenticate and employ the expoit to get a shell. Crispin erred by assuming that most people who run imap servers also allowed their imap users to get shells through telnet or ssh. While this was probably the case in when imap-uw was first written it's probably not true now. Since you say that your users will be using Pine to read their mail locally it appears that you will be allowing shell access to all of your mail users. If this is the case then imap-uw should be okay for your purposes. *** What I actually run *** Having said all of that, I agree with your paranoia about IMAP-UW. I have not personnally searched the imap-uw code for exploits which happen before authentication. An exploit of this type would allow root access to any remote user so it is very dangerous. You could chroot to prevent this but it appears that breaking out of a chroot jail once you have root is trivial. More worrying is Mark Crispin's attitude when the exploits were found. He said that the damage was limited to what people could do with their shell accounts anyhow which indicated that he believed that most imap-uw allowed shell access for their entire population of their mail users. You can read this in any archive of bugtraq. The thread was: "response to the bugtraq report of buffer overruns in imapd LIST command" was written around April 18th, 2000. For that reason I use and recommend Courier imapd. While not a complete drop in replacement for imap-uw and sendmail it was reasonably painless to setup courier. Note well that courier uses Maildir format for mailboxes so you will have to either get Maildir support into sendmail or use postfix or qmail. *** 30,000 foot FreeBSD secure imap How-to *** Chose what you are going to run. If it's okay for users to have shell accounts and you can trust them to be very careful with their passwords then imap-uw is probably the simplest thing for you. You will however have to also install stunnel and find out how to use it to wrap the imap service in an ssl blanket. There should be information on this on the net. If on the other hand you don't want to have shell accounts or you are really paranoid about imap-uw you can run Courier. You will first have to convince your MTA (sendmail/qmail/postfix) to use maildir format. On a stock FreeBSD box the easiest way to do this will be to replace sendmail with postfix or qmail. In my experience replacing sendmail with postfix from the ports collection so you can use Maildir will take about 2 man-hours. After that you will have to install and configure courier. You want to do this with SSL support enabled in both the pop3 and imap daemons. I remember this being different since the configuration was not well documented so I would estimate this at 4 ~ 6 man-hours. Finally also note that Pine may not support Maildir for local mailboxes straight out of the box so you may have to make the Maildir flavor of pine. As always, YMMV -- Chris Hilton chilton-at-vindaloo-dot-com ------------------------------------------------------------------------ "All I was doing was trying to get home from work!" -- Rosa Parks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message