Re: security tips requested

[Danny Sauer <sauer@cloudmaster.com>]

On Wed, Sep 12, 2001 at 08:18:22AM -0700, Robert Threet wrote:
> --- Steven Pritchard <steve@silug.org> wrote:
> > Robert Threet said:
> > > Also, How insecure are POP and IMAP?
> > 
> > Very.  The various POP3 and IMAP daemons have had lots of
> > security
> > holes, and they are unencrypted besides.  You can run
> > them
> > SSL-enabled though, which helps.
> 
> I am setting up SSL for my web server.  When I do I'll have
> a "key".  Is there any further configuration to use SSL
> with POP and IMAP?  Can it be "enforced"?  That is, you can
> only allow SSL-enabled clients to authenticate?

Whether you go with sslwrap'd connections or a deamon that supports
ssl directly, you should be able to point the daemon at your cert
and have it use the same one.  You may have issues if your cert is
for "www.do.main" and your mail server is on "mail.do.main" though,
but that's get-around-able by just using the one hostname...

Regarding the enforcement, the ssl-enabled versions of pop and
imap use a different port (spop-995,imaps-993), so all you have to
do is not allow access to the "normal" ports and you can consider
yourself enforced.

--Danny
-
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.