Re: IMAP- how to protect a server?

["Ge' Weijers" <ge () progressive-systems com>]

On Tue, Jun 01, 1999 at 06:28:56PM -0700, Aaron D. Turner wrote:
> The thing is that we consider are trying our best to secure the email
> from would-be unfriendlies, and I'd rather not have the mail folders
> sitting in the DMZ.  And of course, I don't want to punch a hole
> through the firewall and put the IMAP server on the internal network.
> NFS between a IMAP server in the DMZ and the mail folder server 
> in the Internal net isn't a good idea either.
>
> So what is the 'proper' way of doing this?  

If you don't put your e-mail server on a DMZ you will have to punch
some kind of hole through your firewall, which forces you to put all
your eggs in the SSL basket. I would advise against that, I prefer not
to completely trust a protocol that complicated.

My approach would be to have a separate DMZ for this purpose, which
protects your internal network from compromise if your IMAP server is
breached, and your IMAP server from attacks and password sniffing if
your web server gets broken in to. The resources that are accessible
through SSL are now limited to e-mail. You can allow internal access
through unencrypted IMAP or POP3.

As a second line of defense you might want to educate people about
encrypting their sensitive e-mail, even intra-office e-mail.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220