RE: IMAP- how to protect a server?

[sean.kelly () lanston com]

> From: Carric Dooley [mailto:carric () com2usa com]
> Sent: Saturday, June 05, 1999 1:11 AM
> Subject: Re: IMAP- how to protect a server?
>
>
> I have been watching this thread... and I can't see how SSL 
> protects the
> server.  That would protect (to a degree) the content of the 
> e-mail and
> users passwords to the server, but not the server itself.  If you are
> talking about the buffer overflows like the ones that seem to 
> keep cropping
> up in IMAP servers on Linux, the only real way to keep that 
> server safe is
> to keep your daemon at the latest rev, and hope to god you are not the
> target when a new exploit for that version is discovered.  
> There is only so
> much one can do...

Exactly.  The point of SSL is to make the data that pass between the client
and server unreadable by a third-party.  This means someone can't just grab
a username and password from a telnet login, etc.  Anyone can still sty to
connect to the server on the SSL port, and (if they succeed) do whatever
they want.  The SSL server code is pretty solid however -- the possibility
of a buffer overrun or something along those lines is quite small.

Sean