preferred email system
Larry Sica
lomion at mac.com
Fri May 30 20:05:10 PDT 2003
On Friday, May 30, 2003, at 07:14 PM, Nik Clayton wrote:
> On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote:
>>> Don't use the IMAP. Configure an MTA and where you can have mail
>>> delivered
>>> direct. Where it needs to come off a remote mail server, grab a copy
>>> of
>>> fetchmail and make it do it's voodoo. Having an MTA on your local
>>> machine
>>> for just you is not just luxury - it's why you have Unix. :-)
>>>
>>
>> You run into one possible problem here. What if your ISP filters the
>> port incoming? Then you cannot access it remotely. Plus then you
>> have
>> to make sure you keep on top of any possible holes/bugs/spammers. I
>> don't like running services out of my house unless I need to, mostly
>> because I don't have the time.
>
> The simple solution to this is to firewall off all the ports, and
> configure the app (the IMAP daemon, in this case) to only listen on
> localhost/127.0.0.1. Then set up SSH port forwarding.
>
> I do this, so the schematic looks something like:
>
Yes you can do this. It comes down to if you have the time or will
heh. I have attempted to reduce the systems in my house to as few as
possible for various reasons right now. In my case it's easier to just
have a hosting provider.
What about AUP's? That is the real gotcha I guess.
> `---------------------------------'
>
> The beauty of this is that it works for any protocol[1], irrespective
> of
> whether or not the protocol has built in security support, or whether
> or
> not you want to go through the hassle of configuring it (e.g., most
> IMAP
> servers speak SSL, but you need to make sure the client and server
> interoperate).
>
yes, IMAP w/ ssl is nice. I use it where i can. I wish dotmac did it.
> It also works pretty much anywhere, as long as you can reach port 22 on
> the Internet facing side of your server[2] -- no IPSec to configure, or
> other bits to worry about. And it works on any OS that has an SSH port
> forwarding app, which, apart from the *nix's, includes things like
> Windows, if that's important to you.
>
true. This would be trivial from my laptop..a tibook. SSHAgent is an
app that does it for me w/o hassle.
> With this approach you need precisely one hole in the firewall for
> inbound traffic (port 22), and you need to trust exactly one daemon,
> sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3],
> because the outside world can't get to them to exploit them.
>
true. I'd use getmail over fetchmail tho.
> N
>
> [1] OK, sensibly designed protocols only. Things like FTP in non-PASV
> mode don't count...
>
heh ok. I agree.
> [2] For example, you'd be surprised how many of those "Internet access
> in your hotel room" services will block ports 80 and 110 until
> you've paid the $20 a day charge, but leave port 22 open...
>
I've never had that, places i've stayed if they had ethernet in the
room didnt block ports unless i paid.
> [3] Or at least, don't matter as much. Obviously, if your IMAP server
> has an exploitable hole that gives the attacker root privs, *and*
> there's an ssh hole such that untrusted users can log in in order
> to then exploit the IMAP hole, all bets are off.
>
Well cascading vuln is bad. I'd still patch as needed just in case.
--Larry
More information about the freebsd-chat
mailing list