dovecot - Oct 2011 - Imap/pop gateway

Hello,
How can i make a imap/pop gateway? that is, putting the mailboxes on a server on
the internal network and put the gateway in the dmz.

regards

On 31/10/2011 22:20, nuno marques wrote:
>
>
>
> Hello,
> How can i make a imap/pop gateway? that is, putting the mailboxes on a
server on the internal network and put the gateway in the dmz.
>
The question isn't entirely clear, but I *think* you just want to use
the normal "proxy" feature of dovecot. This accepts connections on one
machine, examines them until the end of the auth stage and passes them
onto some other machine based on the results of the auth process

Also there are other imap/pop proxies such as nginx

That said I'm not sure how much security this really buys you versus
port forwarding POP/IMAP ports to your real server?  If the proxy
machine were to get hacked (over imap?) then the same hack can jump from
the proxy to the real server.  Also your only exposure in each case is
via POP/IMAP, which means you would be mainly chasing buffer overflow
vulnerabilities and the like.  These can also be mitigated by chrooting
the server machine (please consider virtualisation options, it's usually
simpler/faster/saner, eg see my favourite: linux-vservers), MAC controls
on the dovecot process (grsec/selinux, etc), and compiler extensions
(gcc hardened)

Good luck

Ed W

If you are going to use an imap proxy for security reasons, consider using a
software DIFFERENT than in your real mailboxes. If you use dovecot in your
backend, you could use perdition in the frontend.

 Regards

 Maria

----- Original Message -----
From: Ed W
Sent: 11/03/11 11:31 AM
To: Dovecot Mailing List
Subject: Re: [Dovecot] Imap/pop gateway

 On 31/10/2011 22:20, nuno marques wrote: > > > > Hello, > How
can i make a imap/pop gateway? that is, putting the mailboxes on a server on the
internal network and put the gateway in the dmz. > The question isn't
entirely clear, but I *think* you just want to use the normal "proxy"
feature of dovecot. This accepts connections on one machine, examines them until
the end of the auth stage and passes them onto some other machine based on the
results of the auth process Also there are other imap/pop proxies such as nginx
That said I'm not sure how much security this really buys you versus port
forwarding POP/IMAP ports to your real server? If the proxy machine were to get
hacked (over imap?) then the same hack can jump from the proxy to the real
server. Also your only exposure in each case is via POP/IMAP, which means you
would be mainly chasing buffer overflow vulnerabilities and the like. These can
also be mitigated by chrooting the server machine (please consider
virtualisation options, it's usually simpler/faster/saner, eg see my
favourite: linux-vservers), MAC controls on the dovecot process (grsec/selinux,
etc), and compiler extensions (gcc hardened) Good luck Ed W