Re: IMAP- how to protect a server?

[chuck <fwwiz () yerkes com>]

I should know this, but does Kerberized IMAP encrypt the whole
connection?  I imagine it does, but can someone say for sure?

Given that SSL might be an option (I dunno about the laws regarding
taking encryption out of the country - even if you brought it in), I'd
be looking hard at that.  Yeah, you might want your IMAP server on an
protected, isolated DMZ segment given that it will be touched by
outside and inside traffic.

Somehow, you want the authentication, and ideally the data, encoded.

You might also want a CERT server to give the users certs.  The NICE
thing might be a smart card, but OS's generally don't come with support
for authentication/certs living on a separate device.


So, in short, if not kerberos, IMAP over SSL is a known beast.
Netscape's IMAP server runs it just fine out of the box.  Dunno about
others.  You get CERTs to your remote users, you end up with STelnet
and, perhaps, SMTP/SSL.  Me?  I'd still use strong authentication for
telnet and the like, but I like that the channel is secured and that I
can revoke privs from a central place.

chuck

PS:
If you bump into ITAR rules, feel free to write a physical letter to
your congressman a note that you will have to buy software overseas and
leave machines and software in your Euro office and wouldn't it be nice
if you could actually buy from your own country and support the dying
US encryption industry before it goes the way of TV manufacturing.
(those of us in the US should likely do this regularly anyhow).

Quoting Aaron D. Turner (aturner () vicinity com):
> Hmmm... I guess this brings up a good question.  How good are the SSL
> implimentations?  My understanding was that SSL was pretty solid.  
> Sure I could give all my users SecurID tokens and SecuRemote to access
> email, but I'm going to get a lot of phone calls at 3am from pissed
> off Sales people traveling in Europe who lost it or forgot how to use
> the dumb thing.
>
> Also, putting the IMAP server in a DMZ may protect my other servers
> and it from them, but it doesn't solve the issue of securing the data
> on the mail server itself.  If the IMAP server has a buffer exploit
> then I'm kinda hosed no?  One person suggested a proxy to protect the
> server, but then I got to thinking- how does the proxy inspect the
> content of the packets if they're encrypted?  Or does the fact that
> the connection is encrypted make the buffer exploit moot?
>
> The more I think about it the more confused I get.  I know some one on
> the list has actually done this- secure an IMAP server (it's content
> and the connection between it and the clients).  It's not like IMAP is
> some wacky unused protocol that only runs on Atari 2600's.