Date: Mon, 2 Jun 2003 10:15:54 -0400 From: "Gray, David W" <David.W.Gray@NielsenMedia.com> To: "'Larry Sica'" <lomion@mac.com>, Nik Clayton <nik@freebsd.org> Cc: "'freebsd-chat@freebsd.org'" <freebsd-chat@freebsd.org> Subject: RE: preferred email system Message-ID: <F43D9B4FC6DE934A84DE391C6A84C2E9031F35E2@nmrusdunsx10.nmrlan.net>
next in thread | raw e-mail | index | archive | help
Nik's system is what I use, essentially. I have 5 or 6 internal boxes (the wife has been understanding so far...) that all can get to my main mailbox. From the outside, it's either SSH tunneling (and Putty works just fine on my work [win2K] machine), or SHTTP. In both cases, the firewall is selective as to who can connect (bit me on the butt once on vacation, fortunately I also had a modem connection in those days.) SSH tunneling has done everything I need to do, and really doesn't need much setup. On the server machine, it just needs to allow tunneling, all else is done from the client. Didn't even take much time :) -----Original Message----- From: Larry Sica [mailto:lomion@mac.com] Sent: Friday, May 30, 2003 11:04 PM To: Nik Clayton Cc: Paul Robinson; Gray, David W; 'freebsd-chat@freebsd.org' Subject: Re: preferred email system On Friday, May 30, 2003, at 07:14 PM, Nik Clayton wrote: > On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote: >>> Don't use the IMAP. Configure an MTA and where you can have mail >>> delivered >>> direct. Where it needs to come off a remote mail server, grab a copy >>> of >>> fetchmail and make it do it's voodoo. Having an MTA on your local >>> machine >>> for just you is not just luxury - it's why you have Unix. :-) >>> >> >> You run into one possible problem here. What if your ISP filters the >> port incoming? Then you cannot access it remotely. Plus then you >> have >> to make sure you keep on top of any possible holes/bugs/spammers. I >> don't like running services out of my house unless I need to, mostly >> because I don't have the time. > > The simple solution to this is to firewall off all the ports, and > configure the app (the IMAP daemon, in this case) to only listen on > localhost/127.0.0.1. Then set up SSH port forwarding. > > I do this, so the schematic looks something like: > Yes you can do this. It comes down to if you have the time or will heh. I have attempted to reduce the systems in my house to as few as possible for various reasons right now. In my case it's easier to just have a hosting provider. What about AUP's? That is the real gotcha I guess. > `---------------------------------' > > The beauty of this is that it works for any protocol[1], irrespective > of > whether or not the protocol has built in security support, or whether > or > not you want to go through the hassle of configuring it (e.g., most > IMAP > servers speak SSL, but you need to make sure the client and server > interoperate). > yes, IMAP w/ ssl is nice. I use it where i can. I wish dotmac did it. > It also works pretty much anywhere, as long as you can reach port 22 on > the Internet facing side of your server[2] -- no IPSec to configure, or > other bits to worry about. And it works on any OS that has an SSH port > forwarding app, which, apart from the *nix's, includes things like > Windows, if that's important to you. > true. This would be trivial from my laptop..a tibook. SSHAgent is an app that does it for me w/o hassle. > With this approach you need precisely one hole in the firewall for > inbound traffic (port 22), and you need to trust exactly one daemon, > sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3], > because the outside world can't get to them to exploit them. > true. I'd use getmail over fetchmail tho. > N > > [1] OK, sensibly designed protocols only. Things like FTP in non-PASV > mode don't count... > heh ok. I agree. > [2] For example, you'd be surprised how many of those "Internet access > in your hotel room" services will block ports 80 and 110 until > you've paid the $20 a day charge, but leave port 22 open... > I've never had that, places i've stayed if they had ethernet in the room didnt block ports unless i paid. > [3] Or at least, don't matter as much. Obviously, if your IMAP server > has an exploitable hole that gives the attacker root privs, *and* > there's an ssh hole such that untrusted users can log in in order > to then exploit the IMAP hole, all bets are off. > Well cascading vuln is bad. I'd still patch as needed just in case. --Larry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F43D9B4FC6DE934A84DE391C6A84C2E9031F35E2>