[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Secure IMAP server and OpenBSD

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: Re: Secure IMAP server and OpenBSD
From: Lenny Zeltser <lzeltser_(_at_)_pobox_(_dot_)_com>
Date: Mon, 22 Nov 1999 12:56:38 -0500
Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org

> Hello, does a secure IMAP server exist for OpenBSD that will be 
> compatible with mail readers such as Outlook Express and Netscape?
> I like IMAP but it is far too insecure for internet use I think.

I use SSH to tunnel IMAP from my Windows-based workstations to the
IMAP server, which happens to be the same machine as the SSH
server. The port forwarding feature of SSH allows authenticated SSH
users to ask the SSH server to forward arbitrary connections on the
users' behalf. The TTSSH plugin to Tera Term, which I use, supports
this very nicely. From Setup / SSH Forwarding click on the Add button,
then forward local port "imap" to remote machine "localhost" port "imap".

With this done, your SSH client (Tera Term) will be listening on your
machine's IMAP port (143). All connections coming to this port will be
forwarded to the port of the SSH server that you are logged in to. The
SSH server will then forward this traffic to its own IMAP port.

With this setup, you will need to login to your IMAP/SSH server via
SSH. The tunnel will automatically be created when you authenticate,
since it is saved in your Tera Term setup. Then, configure the IMAP
client to use "localhost" as your incoming mail server. To encrypt
outgoing traffic (recommended), I also set up an SMTP tunnel in Tera
Term, and configured the client to use "localhost" as its SMTP server.

In this configuration the IMAP/SSH server can be configured to deny
all IMAP traffic unless it is coming from itself. Unfortunately, your
clients can now be used as entry points to the server. If someone
scans your machine, by accessing your port 143, they will actually be
accessing IMAP server. Therefore, it is essential that you run a
personal firewall such as AtGuard on your client machines! I have mine
configured to allow access to my IMAP port only if the request is
coming from the e-mail client running on "localhost". Same goes for
SMTP.

I tried this configuration with Eudora as my e-mail client. Outlook
and Netscape should work as well. On the server side I was running
SSH-1 on Linux... I am about to try this on OpenBSD. It should work,
since I am using standard SSH features.

-- Lenny

P.S. Instead of tunneling IMAP traffic over SSH, it should be possible
to tunnel it through SSL with compatible e-mail clients. Netscape and
Outlook are supposed to support "SSL IMAP", which would require the
IMAP server to run a package such as stunnel or sslwrap.

References:
- Secure IMAP server and OpenBSD
  - From: Mike

Prev by Date: Secure IMAP server and OpenBSD
Next by Date: Re: Secure IMAP server and OpenBSD
Previous by thread: Secure IMAP server and OpenBSD
Next by thread: Re: Secure IMAP server and OpenBSD
Index(es):
- Date
- Thread

Visit your host, monkey.org