[CentOS] IMAP security

mouss mouss at netoyen.net
Fri Mar 28 21:14:25 UTC 2008 

Anne Wilson wrote:
> On Friday 28 March 2008 11:06:06 Ned Slider wrote:
>   
>> Anne Wilson wrote:
>>     
>>> I have port 143 open so that I can get my mail when away from home.
>>> Occasionally, though, my router reports things like
>>>
>>> Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821
>>> Destination:88.97.17.41,143 - [IMAP rule match]
>>> Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461
>>> Destination:88.97.17.41,143 - [IMAP rule match]
>>> Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352
>>> Destination:88.97.17.41,143 - [IMAP rule match]
>>>       
>> If you open ports, you will see folks scanning them - it's inevitable. A
>> public mail server will attract interest from those wishing to exploit it.
>>
>>     
>>> Looking at those addresses in whois, I don't see any good reason for
>>> these, and I'm concerned in case they are relays.  Advice?
>>>       
>> Those looking for relays would be more interested in the smtp port 25.
>> The IMAP port is the port you connect to to receive your mail. As long
>> as your imap server (dovecot, courier-imap) is fully patched and
>> presumably secure then you should be OK.
>>
>>     
> It is.
>
>   
>> Advice - one potential weakness is that by default your username and
>> password is likely being sent in plain text (not a good idea!). Someone
>> could potentially intercept your username and password and access/use
>> your email account. If that username/password is also your system
>> account then potentially that could be compromised too.
>>
>>     
> My various mail passwords are not system passwords, so at least that is 
> avoided.
>
>   
>> There are a number of things you can do to harden your security. You
>> could set up an additional user account with nologin for email so if the
>> username/password does get compromised it's limited to purely email. You
>> could run imap services on a non-standard port (security through
>> obscurity), or firewall the connection to only allow trusted IP
>> addresses (works if you always conect from known trusted IP addresses).
>> None of these solutions are perfect, so probably the best method is to
>> encrypt the connection using SSl. See howto here (for postfix/dovecot):
>>
>> http://wiki.centos.org/HowTos/postfix_sasl
>>
>>     
> Thanks for the advice.  It helps a lot.
>   

Consider using imaps instead of imap. it's not hard to setup and it will 
prevent password sniffing as well as silly kiddie who only probe non ssl 
ports (my logs show a lot of 80, 21, 22, 110, 143 and currently not a 
single imaps).

More information about the CentOS mailing list