From owner-freebsd-chat@FreeBSD.ORG Fri May 30 16:14:46 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15D1C37B401 for ; Fri, 30 May 2003 16:14:46 -0700 (PDT) Received: from crf-consulting.co.uk (pc-62-31-42-106-hy.blueyonder.co.uk [62.31.42.106]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3583D43F3F for ; Fri, 30 May 2003 16:14:44 -0700 (PDT) (envelope-from nik@crf-consulting.co.uk) Received: from clan.nothing-going-on.org (clan.nothing-going-on.org [192.168.1.20]) by crf-consulting.co.uk (8.12.3/8.12.3) with ESMTP id h4UNEhRf025800; Sat, 31 May 2003 00:14:43 +0100 (BST) (envelope-from nik@catkin) Received: from clan.nothing-going-on.org (localhost [127.0.0.1]) h4UNEgLG055575; Sat, 31 May 2003 00:14:42 +0100 (BST) (envelope-from nik@clan.nothing-going-on.org) Received: (from nik@localhost) by clan.nothing-going-on.org (8.12.8/8.12.8/Submit) id h4UNEf4c055574; Sat, 31 May 2003 00:14:41 +0100 (BST) Date: Sat, 31 May 2003 00:14:41 +0100 From: Nik Clayton To: Larry Sica Message-ID: <20030530231441.GD55077@clan.nothing-going-on.org> References: <20030530152423.GE84666@iconoplex.co.uk> <94D0A88E-92B8-11D7-87FC-000393A335A2@mac.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vOmOzSkFvhd7u8Ms" Content-Disposition: inline In-Reply-To: <94D0A88E-92B8-11D7-87FC-000393A335A2@mac.com> User-Agent: Mutt/1.4i Organization: FreeBSD Project cc: "Gray, David W" cc: "'freebsd-chat@freebsd.org'" Subject: Re: preferred email system X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 May 2003 23:14:46 -0000 --vOmOzSkFvhd7u8Ms Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote: > >Don't use the IMAP. Configure an MTA and where you can have mail=20 > >delivered > >direct. Where it needs to come off a remote mail server, grab a copy of > >fetchmail and make it do it's voodoo. Having an MTA on your local=20 > >machine > >for just you is not just luxury - it's why you have Unix. :-) > > >=20 > You run into one possible problem here. What if your ISP filters the=20 > port incoming? Then you cannot access it remotely. Plus then you have= =20 > to make sure you keep on top of any possible holes/bugs/spammers. I=20 > don't like running services out of my house unless I need to, mostly=20 > because I don't have the time. The simple solution to this is to firewall off all the ports, and configure the app (the IMAP daemon, in this case) to only listen on localhost/127.0.0.1. Then set up SSH port forwarding. I do this, so the schematic looks something like: .---------------------------------. | Laptop | | | | .----------------------------. | | | IMAP client | | | | connects to localhost:7143 | | | `------+---------------------' | | | | | .------v---------------------. | | | ssh daemon | | | | listens on localhost:7143 | | | | forwards to remote:22 | | | `-----------------+----------' | `------------------]|[------------' | <-- Untrusted Internet connection | .------------------]|[------------. | Server | | | | | | .-----------------v----------. | | | ssh daemon | | | | listens on port 22 | | | | forwards to localhost:143 | | | `------+---------------------' | | | | | .------v---------------------. | | | IMAP daemon | | | | Listens on localhost:143 | | | `----------------------------' | `---------------------------------' The beauty of this is that it works for any protocol[1], irrespective of whether or not the protocol has built in security support, or whether or not you want to go through the hassle of configuring it (e.g., most IMAP=20 servers speak SSL, but you need to make sure the client and server=20 interoperate). It also works pretty much anywhere, as long as you can reach port 22 on the Internet facing side of your server[2] -- no IPSec to configure, or=20 other bits to worry about. And it works on any OS that has an SSH port forwarding app, which, apart from the *nix's, includes things like Windows, if that's important to you. With this approach you need precisely one hole in the firewall for inbound traffic (port 22), and you need to trust exactly one daemon, sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3], because the outside world can't get to them to exploit them. N [1] OK, sensibly designed protocols only. Things like FTP in non-PASV mode don't count... [2] For example, you'd be surprised how many of those "Internet access in your hotel room" services will block ports 80 and 110 until=20 you've paid the $20 a day charge, but leave port 22 open... [3] Or at least, don't matter as much. Obviously, if your IMAP server=20 has an exploitable hole that gives the attacker root privs, *and*=20 there's an ssh hole such that untrusted users can log in in order to then exploit the IMAP hole, all bets are off. --=20 FreeBSD: The Power to Serve http://www.freebsd.org/ (__) FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',) \/ \= ^ --- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/= _) --vOmOzSkFvhd7u8Ms Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+1+Xhk6gHZCw343URApFcAJwKHUWJLDMAt+TbsQSWD36FKSBUgACfaBWS cEPvkyW9TKooEjsVEFFsv3A= =GeGl -----END PGP SIGNATURE----- --vOmOzSkFvhd7u8Ms--