Les Mikesell wrote: > > If you have a decent password (on all accounts) I wouldn't worry about > about it too much. Move it to an odd port or even require a client > certificate if your client software supports it. The non-standard port is a good trick, but even assuming the iPhone does support it (which is far from certain, the interface is very simple and terse), I'm still a bit uncomfortable. All it takes is a stupid buffer overflow, and a script kiddie with patience and a portscanner - even if you send packets to DROP, it's still scannable, it just takes much longer. Port knocking is probably not doable (or not easily) from the iPhone. Maybe I don't trust the IMAP server enough to expose it. Maybe I should. > The usual problem with IPSec is trying to make it work through a NAT > router. Does your server have a public address of its own? SSL and > OpenVPN can work through port-forwarding routers. I'm aware of the NAT issues. I've a decent amount of experience with IPSec in the enterprise actually, just not with Linux as a concentrator. The usual trick is to enable some sort of UDP tunneling, and then a good part of those issues is alleviated. The question is whether the Linux IPSec server supports UDP encapsulation (and whether the iPhone client does too). The machine has a public interface exposed directly to the Internet, so that simplifies things a bit. -- Florin Andrei http://florin.myip.org/