[CentOS] IMAP security

Fri Mar 28 17:28:56 UTC 2008
Anne Wilson <cannewilson at googlemail.com>

On Friday 28 March 2008 11:06:06 Ned Slider wrote:
> Anne Wilson wrote:
> > I have port 143 open so that I can get my mail when away from home.
> > Occasionally, though, my router reports things like
> >
> > Thu, 2008-03-27 02:00:11 - TCP Packet - Source:200.122.134.9,3821
> > Destination:88.97.17.41,143 - [IMAP rule match]
> > Thu, 2008-03-27 05:39:49 - TCP Packet - Source:140.127.181.141,3461
> > Destination:88.97.17.41,143 - [IMAP rule match]
> > Thu, 2008-03-27 16:10:03 - TCP Packet - Source:80.88.161.125,2352
> > Destination:88.97.17.41,143 - [IMAP rule match]
>
> If you open ports, you will see folks scanning them - it's inevitable. A
> public mail server will attract interest from those wishing to exploit it.
>
> > Looking at those addresses in whois, I don't see any good reason for
> > these, and I'm concerned in case they are relays.  Advice?
>
> Those looking for relays would be more interested in the smtp port 25.
> The IMAP port is the port you connect to to receive your mail. As long
> as your imap server (dovecot, courier-imap) is fully patched and
> presumably secure then you should be OK.
>
It is.

> Advice - one potential weakness is that by default your username and
> password is likely being sent in plain text (not a good idea!). Someone
> could potentially intercept your username and password and access/use
> your email account. If that username/password is also your system
> account then potentially that could be compromised too.
>
My various mail passwords are not system passwords, so at least that is 
avoided.

> There are a number of things you can do to harden your security. You
> could set up an additional user account with nologin for email so if the
> username/password does get compromised it's limited to purely email. You
> could run imap services on a non-standard port (security through
> obscurity), or firewall the connection to only allow trusted IP
> addresses (works if you always conect from known trusted IP addresses).
> None of these solutions are perfect, so probably the best method is to
> encrypt the connection using SSl. See howto here (for postfix/dovecot):
>
> http://wiki.centos.org/HowTos/postfix_sasl
>
Thanks for the advice.  It helps a lot.

Anne
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos/attachments/20080328/fa494314/attachment-0005.sig>