Since the number of responses to my query was large, Roger has asked
me to summarise the information.
The summary is listed below
Thanks to all the people who bothered to help me out:
Alan Mead <adm@ipat.com>
Beattie, Jay <JBeattie@accdir.com>
Bruce Elrick <bruce.elrick@saltus.ab.ca>
Christian Hammers <ch@lathspell.westend.com>
David J. M. Karlsen <david@kvarteret.uib.no>
Dean Thompson <Dean.Thompson@csse.monash.edu.au>
Ed Padin <epadin@wagweb.com>
Eugene Kanter <eugene@blackcatlinux.com>
Florian Helbing <flo@rommel.stw.uni-erlangen.de>
Graham Mainwaring <graham@mhn.org>
Horms <horms@vergenet.net>
Iain Wade <iwade@optusnet.com.au>
JP Vossen <vossenjp@netaxs.com>
Jakub Skopal <jakub.skopal@sorcerer.cz>
Jamie Beverly <jamie@www.how-toresource.com>
Kurt Seifried <listuser@seifried.org>
Matthew B. Henniges <matt@axl.net>
Michael H. Warfield <mhw@wittsend.com>
Peter H. Lemieux <phl@cyways.com>
Petr Sulla <xsulla@informatics.muni.cz>
Ren Sauceda, Computer Systems Engineer (kvsauceda@lbl.gov)
Shawn Robinson <srobins1@tps.tci.telus.com>
Shawn Tagseth <stagseth@bbm.ca>
Stephen Peters <portnoy@portnoy.org>
Tomas Revesz <tomi@neogenesis.com>
Tony Annese <tony@whidbey.net>
alex@cathy.uuworld.com
Blair.
> -----Original Message-----
> From: Blair Lowe [mailto:Blair.Lowe@compeng.net]
> Sent: Wednesday, December 08, 1999 11:36 AM
> To: linux-security@redhat.com
> Subject: [linux-security] IMAP security across the net.
>
>
> Hi,
>
> We are wondering if anyone knows the security features of IMAP.
>
> I know (at least I think I know;) that plain POPMAIL uses no
> encryption on the password, and that APOP provides some encryption.
>
> Ideally we would like a secure system that is accessible from any
> laptop anywhere on the net.
>
> Thanks,
> Blair.
> --
>
-----Summary of all other messages-----
###########################
ANSWERS TO SECURITY QUERY
###########################
*************
Thread 1: imap and POP send cleartext passwords.
--
"David J. M. Karlsen" <david@kvarteret.uib.no>
wrote:> IMAP defaults to cleartext passwords as well, try useing it with ssh, and
> you should be fine... Possible there's some support for mixing
IMAP/SSL as
> well..
-
Ren Sauceda, Computer Systems Engineer (kvsauceda@lbl.gov)
wrote:> IMAP sends everything clear text just like POP. You'd need to run it
> over SSL to get encryption between the client and the IMAP mail store
> server. However, client support is limited: Netscape Messenger 4.6+,
> Outlook 98/2000, Outlook Express 5, and according to my sources.
>
> Personally, as a user that is, I like sshing into my mail server and
> checking my mail with pine when I'm on the road.
--
Christian Hammers <ch@lathspell.westend.com>
wrote:> uw-imap and afaik cyrus imap, too have support for CRAM-MD5 (sp?)
> this is like APOP.
Any more links to info on these products?
--
Horms <horms@vergenet.net> wrote:> I don't know a lot about IMAP but my understanding is that
> you can enable capabilities, if the server and client allow
> that will provide an encryptes session.
Sounds like SSL (see below).
--
"Graham Mainwaring" <graham@mhn.org>> IMAP also sends the plaintext password across the network. However, it is
> possible to do IMAP-over-SSL (as well as POP-over-SSL) and get it to work
> with at least some mail clients. You do this using a tool called sslwrap
on
> the server side. Alternatively, you might be able to do something with ssh
> port forwarding.
--
Alan Mead <adm@ipat.com> wrote:> APOP encrypts passwords but not data.
> I'm not sure if IMAP encrypts the data; it is designed to offer more
secure
> email connections than POP. However I think SSL is a better choice; make
> everything web-based and accessed through a secure web server.
They'll
> need a root cert from your cert authority. That probably means your
> clients will be forced to have a recent versions of IE or Navigator.
imap does not seem to be any more secure than regular pop (as I feared).
--
###########################
SOLUTIONS TO EMAIL SECURITY
###########################
*************
Thread 1: Eudora may not support SSL wrapper type of IMAP communications.
--
Jakub Skopal <jakub.skopal@sorcerer.cz> wrote:>
> Blair Lowe wrote:
> >
> > Where exactly is the setting for Eudora, or does it just work?
> >
> > Blair.
> >
> > Jakub Skopal <jakub.skopal@sorcerer.cz> wrote:
> > >
> > > consider using SSL wrapper for your IMAP, it'll provide
on-the-fly
> > >encryption.
> > >Most of the current mail-readers support it (on windows Microsoft
> > >Outlook * os
> > >well as Netscape, Eudora supports it as well, afaik, on linux,
there's
> > >an easy
> > >way how to setup a wrapper so every application can access it in
> > >ordinary way :_)
> > >
> > > Jakub
> > >
> > >--
>
> Don't know, but now I doublechecked at eudora's website and they
say
> they have no support for SSL... I believe, that there can me some sort
> of wrapper made as well, don't know any :-|
> I just knew somebody, who had been using it, but don't know how he had
> managed to get it to work...
>
******************
Thread 2: sslwrap
--
Jamie Beverly <jamie@www.how-toresource.com>
wrote:> sslwrap has some nice packages that encrypt POP, SMTP, and IMAP, there was
> a post to this group a few months ago that had full instructions to set it
> up and get it running, if you need a hand, drop me a line.
--
Ed Padin <epadin@wagweb.com> wrote:> You can use SSL for IMAP as well as POP mail access. There's two nice
SSL
> wrappers I know of for linux machines. sslwrap and stunnel. They act as a
> front end to any imap, pop or html server so that you can use the SSL
> protocol for the service. The popular IMAP clients usually support IMAP
over
> SSL. This gives you a fully encrypted link where passwords and content
> cannot be sniffed.
--
Stephen Peters <portnoy@portnoy.org>> I think IMAP gives you the same problems.
[ie. cleartext passwords]>
> One thing you might consider is installing SSLeay and sslwrap. This
> allows you to wrap POP, IMAP (or other protocols) under SSL, so that
> the communication is encrypted. Many common mail clients (even
> Netscape, MSIE, and Outlook) support the SSL connections natively.
> I've gotten this working once -- using Netscape or Outlook to access
> my home IMAP server over SSL.
>
> More information can be found in www.openssl.org, if I remember right.
A note to the readers, I believe that SSLeay IS open_ssl.
--
Florian Helbing <flo@rommel.stw.uni-erlangen.de>> You can use SSL-Encrypted IMAP. Netscape can connect to SSL IMAP.
> Unforunately I don't know of any other MUA who can.
> On the server you just need to use the ssl-wrapper which encrypts the data
> the imap-server send or receives. We use it here at the network I am
working
> at and it performs quite nicely.
--> "Michael H. Warfield" <mhw@wittsend.com> wrote:
> My suggestion would be to go with SSL encrypted imap (imaps).
> It's a well known service allocated to port 993 by IANA and can be set
> up with an ssl wrapper like edssl, ssl-proxy, stunnel, or sslwrapper on
> your server. Fetchmail now has SSL patches included in the source, you
> just have to obtained OpenSSL <www.openssl.org> for the SSL
libraries
> themselves. Even Exchange, Outlook, and Netscape support SSL encryption
> on either or both POP and IMAP.
--
Tomas Revesz <tomi@neogenesis.com> wrote:>
> i'm not sure that standard imap has anything built in security-wise
but
> i'm quite happily running ssl wrapped imap on two of my redhat boxes
and
> it wasn't a tremendous pain to set it up. it gives you encrypted
login
> and viewing of your mail. i've tried netscape, outlook express, and
> outlook 97/2000 as clients and they all seem to work great. you
> basically need 3 pieces.
>
> an imap server (i use the uwash server that came with redhat)
> openssl 0.9.4 http://www.openssl.org or you can find an rpm for it at
> www.rpmfind.net pretty easily
> and sslwrap which i got from http://www.rickk.com/sslwrap/
>
> i used this page as a reference and even though there are some
> differences in the software, it gives you the basic idea of how to set
> this up. http://www.dtcc.edu/cs/admin/notes/ssl/
>
> if you want more detailed info, let me know and maybe i'll finally
> motivate myself to write up a how-to on my full setup.
I am sure that the readers of this email list and anyone else would
be tickled with a HOWTO.
--
"Kurt Seifried" <listuser@seifried.org>
wrote:>
> Blair Lowe wrote:
> > Yes this works for all the normal OS's such as Linux and Windows,
> > but don't you need winstun or something for a windows
> > implementation
> > (which does not exist for apple clients).
>
> Most email clients have built in support for SSL (outlook, netscape
> do). Simply goto security settings, secure imap.
--
"Bruce Elrick" <bruce.elrick@saltus.ab.ca>
wrote:> You could try using IMAP over SSL. Both Netscape and MS Outlook support
> this. I've installed sslwrap, which negotiates the SSL layer and
forwards
> the connection to the loopback.
>
> e.g.
> have port 993 (imaps) open with sslwrap opened through inetd:
> /etc/inetd.conf:
> imaps stream tcp nowait ssl /usr/sbin/tcpd
> /usr/sbin/sslwrap -cert /var/lib/ssl/certs/server.pem -port 143
>
> which accomplishes
> client using imaps (imap over ssl) --> internet -->
> --> your server public IP port 993 -->
> --> sslwrap (started by inetd) -->
> --> your server loopback IP port 143 --> imapd (started by inetd)
>
> You can have your firewall block 143 (except on loopback if your imaps
> server is your firewall) and let through 993 to your public IP address.
Excellent!
--
Shawn Robinson <srobins1@tps.tci.telus.com> wrote:> You can use SSL (authenticated & encrypted) with SMTP, POP, and IMAP
> protocols. As for IMAP and POP, you may want to tunnel them to your
> existing servers with 'stunnel'.
> http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/
--
"Eugene Kanter" <eugene@blackcatlinux.com>
wrote:> Use ssl proxy. Netscape communicator works just fine. I guess
> openssl.org?
*****************
Thread 3: stunnel
"Iain Wade" <iwade@optusnet.com.au>
wrote:> All major clients (Outlook, Outlook Express, Netscape Messenger)
> support IMAP over an SSL tunnel.
>
> You can achieve this using the SSLeay and stunnel packages very
> easily.
>
> I cannot recall where I found a nice little FAQ which described the
> process, but I'm sure a few altavista searches will get you there.
>
> This is what I use and it seems ok so far.
--
"Kurt Seifried" <listuser@seifried.org> also
wrote:> ... SSL wrapping imap is easy, I cover
> it at http://www.securityportal.com/lasg/ in the mail server section,
> oops, I lied, I forgot to fold those changes in. Ok well go get
> OpenSSL, compile/install it, install a server cert, then get stunnel
> (ftp.zedz.net, in the replay directory, redhat, i386), install that
> and ssl wrap imap:
>
> simap stream tcp nowait root /usr/sbin/stunnel imapd -l
> imapd
Right on. Now I know more about stunnel.
--
Shawn Tagseth <stagseth@bbm.ca> wrote:>
> If your clients that connect to the IMAP server are using netscape or
> Outlook( Express), both of them support IMAPS. You can set up an
> ssl-imap wrapper so that everything over the Internet travels IMAP-SSL,
> hits your linux box, gets de-crypted and then redirected to IMAP on
> localhost. I've only tested it and not rolled it out. The best part
> about it is that you don't have to replace your IMAP daemon.
>
> You'll need openSSL http://www.openssl.org
> and a wrapper (I've used sslwrap, but I've heard good things about
> stunnel as well)
> http://www.openssl.org/related/apps.html
>
> If you need to send messages you can set up the wrapper to handle SMTPS
> as well. Although if ALL your mail is going back out to the internet
> the overhead is wasted.
--
Petr Sulla <xsulla@informatics.muni.cz> wrote:> You could use sslwrap or stunnel over a SSL connection, it works very nice
> for me with both POP and IMAP.
> Just search for sslwrap and stunnel at www.freshmeat.net.
...> I just came across a much better source:
>
> http://security.fi.infn.it/tools/stunnel/index-en.html
I found stunnel hard to get, but eventually got it.
*****************
Thread 4: Outlook Express
--
alex@cathy.uuworld.com wrote:> JP Vossen <vossenjp@netaxs.com> wrote:
> > On Wed, 8 Dec 1999, Blair Lowe wrote:
> >
> > > Ideally we would like a secure (e-mail) system that is
>accessible from any
> > > laptop anywhere on the net.
> >
> > How about OWA using SSL (Outlook Web Access for Exchange 5.x (OWA
>is free from
> > MS)) using SSL on IIS? If you use Exchange, this is great, because
you can
> > get your mail from any place that has an SSL browser, WITHOUT
>having to have
> > any other software (e.g. VPN software, IMAP client, etc.) installed
on the
> > client machine. However, it is a bit tricky to install.
>
> Off topic.
True that Outlook Web Access is probably not available for LINUX,
someone may have a
LINUX laptop that connects to an NT server.
*****************
Thread 5: Zmailer
--
Shawn Robinson <srobins1@tps.tci.telus.com> also
wrote:> For SMTP, I'd suggest a native implementation, but you could tunnel it
> also. Zmailer (http://www.zmailer.org) is an SMTP server that recently
> introduced SSL SMTP that supports clients such as Netscape Communicator,
> and Outlook Express.
******************
Thread 6: IMP: a web based email server
--
"Peter H. Lemieux" <phl@cyways.com>
wrote:> How about IMP, a Web IMAP client written in PHP3, running on an Apache-SSL
> server?
>
> IMP: http://www.horde.org/imp/
> PHP: http://www.php.net
>
> You can read and send mail, attach files, manage folders, keep an
> addressbook, and use LDAP servers, all over the web. Not only would the
> authentication session be encrypted by SSL, so would the contents of the
> messages viewed.
> If you're uncomfortable leaving the message store on a publicly
accessible
> machine, you can put it behind your firewall and point IMP at it through
> some kind of tunnel.
>
> If you want to be able to use an IMAP client that runs on the laptop,
there
> is a standard port assignment (993) for secure IMAP using SSL/TLS. I know
> Netscape Communicator supports this, and I think MS Outlook does, too.
You
> might want to look at one man's experience trying to construct an
> UW-IMAP+SSL server at
http://www.terry.dtcc.edu/stanton/cs/admin/notes/ssl/.
>
******************
Thread 7: IPSec
Dean Thompson <Dean.Thompson@csse.monash.edu.au>
wrote:> You may want to investigate the SSL protocol to ensure you have an
encrypted
> session when reading mail. Other than SSL, you may be able to to
>use a system
> like IPSec to encrypt data on the network (although this requires a
specific
> gateway encrypting all the traffic).
*****************
Thread 8: Kerberos AND gss
> "Michael H. Warfield" <mhw@wittsend.com> wrote:
> Blair Lowe wrote:
> > We are wondering if anyone knows the security features of IMAP.
>
> Yeah, virtually none unless you add features like kerberos or gss.
Anyone know any links on these ones?
--
"Matthew B. Henniges" <matt@axl.net>
wrote:> You could use pop over ssl.
>
> There are several ssl proxies that can add ssl support to a non ssl
server,
>
> stunnel, bjorb, and sslproxy come to mind.
>
> Some people report problems with outlook express's ssl support
though...
anyone know any links to bjorb?
Computer Engineering Inc.
http://www.compeng.net
Phone: 780 499 5687 (9 - 5 MST)
Fax: 780 435 0693 (24 Hours)
