I've put up a page about adding TLS support to SMTP, POP3, and IMAP
via a seperate proxy process. It includes instructions for courier
IMAP. Advantages over traditional stunnel are support for STARTTLS on
the standard IMAP port; advantages over the STARTTLS built into
courier IMAP are that all SSL support is isolated into a seperate
daemon, which runs as an unprivileged UID/GID in a small chroot
environment.
The Courier IMAP setup is kinda weird, because my Courier IMAP setup
is kinda weird. If somebody is interested in this stuff and would
like to put together a more conventional startup file, I'll be happy
to substitute that one for my own.
The project page is at:
http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/stunnel-tlsproxy.html
The IMAP page is at:
http://www.suspectclass.com/~sgifford/stunnel-tlsproxy/imap-tls.README
. Feedback is welcome and appreciated; in particular, I'm not all
that familiar with how STARTTLS is supported in standard Courier IMAP,
so please correct me where I'm wrong.
Here are some excerpts from the README:
********************
*** INTRODUCTION ***
********************
STARTLS is the standard (RFC 2595) way of doing IMAP encrypted with
SSL/TLS. Although it does not provide end-to-end encryption of email
messages, it can be useful to protect IMAP passwords, and to protect
email messages across the "last mile" of mail delivery.
While courier IMAP has native support for STARTTLS, TLS negotiations
are done before authentication, and are therefore done as root. That
means that a small bug such as a buffer overflow in the OpenSSL
library becomes a root exploit---yikes!
This approach uses a proxy which can handle the encryption and the
STARTTLS command itself, and then hands the already-encrypted
connection off to courier IMAP. The proxy runs in an environment
secured by chroot(), setuid(), and setgid().
IMAP proxy support has been added to stunnel, and also support for
doing a plaintext proxy of the IMAP session if STARTTLS isn't used.
stunnel runs chrooted in its own directory, as a special user and
group. This means that even a grievous security error in stunnel or
openssl wouldn't allow significant access to your system, or even
allow interfering with mail.
-----ScottG.
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
courier-users mailing list
[EMAIL PROTECTED]
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
