From owner-freebsd-chat@FreeBSD.ORG Fri May 30 20:05:09 2003 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FFC437B404 for ; Fri, 30 May 2003 20:05:09 -0700 (PDT) Received: from smtpout.mac.com (A17-250-248-86.apple.com [17.250.248.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id A256C43F3F for ; Fri, 30 May 2003 20:05:05 -0700 (PDT) (envelope-from lomion@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/MantshX 2.0) with ESMTP id h4V355xo015544 for ; Fri, 30 May 2003 20:05:05 -0700 (PDT) Received: from mac.com (bgp585760bgs.jdover01.nj.comcast.net [68.39.198.236]) (authenticated bits=0) by mac.com (Xserve/MantshX 2.0) with ESMTP id h4V34BXF018689; Fri, 30 May 2003 20:04:12 -0700 (PDT) Date: Fri, 30 May 2003 23:04:11 -0400 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v552) To: Nik Clayton From: Larry Sica In-Reply-To: <20030530231441.GD55077@clan.nothing-going-on.org> Message-Id: <8DA36D2D-9314-11D7-8F37-000393A335A2@mac.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.552) cc: "Gray, David W" cc: "'freebsd-chat@freebsd.org'" Subject: Re: preferred email system X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 May 2003 03:05:10 -0000 On Friday, May 30, 2003, at 07:14 PM, Nik Clayton wrote: > On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote: >>> Don't use the IMAP. Configure an MTA and where you can have mail >>> delivered >>> direct. Where it needs to come off a remote mail server, grab a copy >>> of >>> fetchmail and make it do it's voodoo. Having an MTA on your local >>> machine >>> for just you is not just luxury - it's why you have Unix. :-) >>> >> >> You run into one possible problem here. What if your ISP filters the >> port incoming? Then you cannot access it remotely. Plus then you >> have >> to make sure you keep on top of any possible holes/bugs/spammers. I >> don't like running services out of my house unless I need to, mostly >> because I don't have the time. > > The simple solution to this is to firewall off all the ports, and > configure the app (the IMAP daemon, in this case) to only listen on > localhost/127.0.0.1. Then set up SSH port forwarding. > > I do this, so the schematic looks something like: > Yes you can do this. It comes down to if you have the time or will heh. I have attempted to reduce the systems in my house to as few as possible for various reasons right now. In my case it's easier to just have a hosting provider. What about AUP's? That is the real gotcha I guess. > `---------------------------------' > > The beauty of this is that it works for any protocol[1], irrespective > of > whether or not the protocol has built in security support, or whether > or > not you want to go through the hassle of configuring it (e.g., most > IMAP > servers speak SSL, but you need to make sure the client and server > interoperate). > yes, IMAP w/ ssl is nice. I use it where i can. I wish dotmac did it. > It also works pretty much anywhere, as long as you can reach port 22 on > the Internet facing side of your server[2] -- no IPSec to configure, or > other bits to worry about. And it works on any OS that has an SSH port > forwarding app, which, apart from the *nix's, includes things like > Windows, if that's important to you. > true. This would be trivial from my laptop..a tibook. SSHAgent is an app that does it for me w/o hassle. > With this approach you need precisely one hole in the firewall for > inbound traffic (port 22), and you need to trust exactly one daemon, > sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3], > because the outside world can't get to them to exploit them. > true. I'd use getmail over fetchmail tho. > N > > [1] OK, sensibly designed protocols only. Things like FTP in non-PASV > mode don't count... > heh ok. I agree. > [2] For example, you'd be surprised how many of those "Internet access > in your hotel room" services will block ports 80 and 110 until > you've paid the $20 a day charge, but leave port 22 open... > I've never had that, places i've stayed if they had ethernet in the room didnt block ports unless i paid. > [3] Or at least, don't matter as much. Obviously, if your IMAP server > has an exploitable hole that gives the attacker root privs, *and* > there's an ssh hole such that untrusted users can log in in order > to then exploit the IMAP hole, all bets are off. > Well cascading vuln is bad. I'd still patch as needed just in case. --Larry