Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
On Thu, 2009-03-26 at 16:59 -0700, Florin Andrei wrote: I want to read my email on the iPhone. To do that, I have 2 options: 1. VPN 2. IMAP-over-SSL #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but the iPhone doesn't have an OpenVPN client. Running *two* VPN networks seems excessive for a small personal server - not that the machine cannot handle it, but it just feels too complicated for the task at hand. #2 would be easy to implement, just poke a hole in the firewall for the imaps port. But then there's the issue of security, of course. I am running cyrus-imapd-2.3.7 on CentOS 5.x How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the big wild Internet? Do you see the SELinux confinement as a must-have in this context, or are you okay with running it without any such MAC protections? I went to a talk by Dam Kaminsky of this past summers DNS exploit fame. If you want to be scared sh*tless about the potential security vulnerabilities of DNS, read up on his work. SSL does nothing. But on the more practical side. What exactly are you worried about? Someone rooting your machine through IMAP/Cyrus (never seen/heard of that done with any IMAP server, but please correct me if I'm wrong)? Getting access to your email? What? The biggest security problem I see (daily) is users. I'd love to deploy two-factor auth, but that's not possible right now. Z Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
--On Friday, March 27, 2009 9:46 -0400 Zachariah Mully zmu...@smartbrief.com wrote: How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the big wild Internet? Not much point running it if you can't connect to it, is there? It's totally standard. Actually you need only plain imap with tls required, but imaps helps some clients work right. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
Whenever you open services to the internet, you're taking a chance. I've been running Cyrus IMAP open to the Internet for years and have never had any issues, but I may have just been lucky. There are plenty of sources available for looking for the history of vulnerabilities for various software packages, including the change log for Cyrus. If you can run selinux to protect it a bit more, why not? If you can jail/chroot the processes, why not? Anything you can do to limit the exposure to future problems puts you one step ahead of the rest. Florin Andrei wrote: Zachariah Mully wrote: I went to a talk by Dam Kaminsky of this past summers DNS exploit fame. If you want to be scared sh*tless about the potential security vulnerabilities of DNS, read up on his work. SSL does nothing. Well, we're all gonna die of something, aren't we? There are many attacks out there. You address what you can, do not address what you cannot, cross your fingers and hope for the best. But on the more practical side. What exactly are you worried about? Someone rooting your machine through IMAP/Cyrus (never seen/heard of that done with any IMAP server, but please correct me if I'm wrong)? Getting access to your email? What? The thing worrying me at this time is some stupid buffer overflow in the IMAP server code. I have no idea what's the security history of this server, even though I've been using it for quite a while, because it was always in tightly controlled environments. Exposing it to the Internet changes the game. The reason why I'm not immediately jumping for the VPN solution is that I already have a VPN in place, just not compatible with the iPhone. Running two VPNs seems just silly. But maybe it is the right solution after all. The biggest security problem I see (daily) is users. In this case, there are only a couple users and I'm one of them, so I'm not worried. (or maybe I should? heh heh) Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
On Fri, 2009-03-27 at 11:06 -0700, Florin Andrei wrote: The thing worrying me at this time is some stupid buffer overflow in the IMAP server code. I have no idea what's the security history of this server, even though I've been using it for quite a while, because it was always in tightly controlled environments. Exposing it to the Internet changes the game. In this case, there are only a couple users and I'm one of them, so I'm not worried. (or maybe I should? heh heh) You've said nothing about the risks of a breach of your system, nor about what exactly it is you are worried about being comprimised. Once you figure out those, you can make an educated decision. Until then, you're just pissing into the wind. Z Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
On 27 Mar 2009, at 14:06, Florin Andrei wrote: The thing worrying me at this time is some stupid buffer overflow in the IMAP server code. I have no idea what's the security history of this server, even though I've been using it for quite a while, because it was always in tightly controlled environments. Exposing it to the Internet changes the game. It's a very popular open source IMAP server, typically run exposed to the Internet at large. That certainly far from a guarantee that it's bug free, but intruders have had ample opportunity probe the code over the years. :wes Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
On Thu, Mar 26, 2009 at 04:59:07PM -0700, Florin Andrei wrote: I want to read my email on the iPhone. To do that, I have 2 options: 1. VPN 2. IMAP-over-SSL #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but the iPhone doesn't have an OpenVPN client. Running *two* VPN networks seems excessive for a small personal server - not that the machine cannot handle it, but it just feels too complicated for the task at hand. #2 would be easy to implement, just poke a hole in the firewall for the imaps port. But then there's the issue of security, of course. I am running cyrus-imapd-2.3.7 on CentOS 5.x How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the big wild Internet? Do you see the SELinux confinement as a must-have in this context, or are you okay with running it without any such MAC protections? We don't actually use SSL directly within Cyrus, instead using nginx with SSL on our frontend servers, proxying to the backends. This is mainly for load balancing, but it does also mean that the nginx server can be run with zero privileges for anything else. It doesn't give any protection from authenticated users (once the login is finished, the traffic is just directly proxied to the backend), but it does mean unauthenticated users don't have direct access to the cyrus imapds. If you're paranoid, that might be worth doing! That said, like everyone else has mentioned - Cyrus has been around for a long time, and has a good security track record. Bron. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
thoughts on running an IMAP-over-SSL server exposed to the Internet?
I want to read my email on the iPhone. To do that, I have 2 options: 1. VPN 2. IMAP-over-SSL #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but the iPhone doesn't have an OpenVPN client. Running *two* VPN networks seems excessive for a small personal server - not that the machine cannot handle it, but it just feels too complicated for the task at hand. #2 would be easy to implement, just poke a hole in the firewall for the imaps port. But then there's the issue of security, of course. I am running cyrus-imapd-2.3.7 on CentOS 5.x How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the big wild Internet? Do you see the SELinux confinement as a must-have in this context, or are you okay with running it without any such MAC protections? -- Florin Andrei http://florin.myip.org/ Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: thoughts on running an IMAP-over-SSL server exposed to the Internet?
On Thu, 2009-03-26 at 16:59 -0700, Florin Andrei wrote: I want to read my email on the iPhone. To do that, I have 2 options: 1. VPN 2. IMAP-over-SSL #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but the iPhone doesn't have an OpenVPN client. Running *two* VPN networks seems excessive for a small personal server - not that the machine cannot handle it, but it just feels too complicated for the task at hand. #2 would be easy to implement, just poke a hole in the firewall for the imaps port. But then there's the issue of security, of course. I am running cyrus-imapd-2.3.7 on CentOS 5.x How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the big wild Internet? Do you see the SELinux confinement as a must-have in this context, or are you okay with running it without any such MAC protections? I expect it to be safe because I too have opened IMAPS ports for the various clients that I have who want to use their iPhone's and Blackberry's, etc. That also means that I have had to implement SMTP auth so that they can send e-mail too. I have faith that these are daemons (cyrus and postfix) that can withstand attacks but every port you open is another attack vector on your system. Craig Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
