Date: Sat, 31 May 2003 00:14:41 +0100 From: Nik Clayton <nik@freebsd.org> To: Larry Sica <lomion@mac.com> Cc: "'freebsd-chat@freebsd.org'" <freebsd-chat@freebsd.org> Subject: Re: preferred email system Message-ID: <20030530231441.GD55077@clan.nothing-going-on.org> In-Reply-To: <94D0A88E-92B8-11D7-87FC-000393A335A2@mac.com> References: <20030530152423.GE84666@iconoplex.co.uk> <94D0A88E-92B8-11D7-87FC-000393A335A2@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--vOmOzSkFvhd7u8Ms
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, May 30, 2003 at 12:05:49PM -0400, Larry Sica wrote:
> >Don't use the IMAP. Configure an MTA and where you can have mail=20
> >delivered
> >direct. Where it needs to come off a remote mail server, grab a copy of
> >fetchmail and make it do it's voodoo. Having an MTA on your local=20
> >machine
> >for just you is not just luxury - it's why you have Unix. :-)
> >
>=20
> You run into one possible problem here. What if your ISP filters the=20
> port incoming? Then you cannot access it remotely. Plus then you have=
=20
> to make sure you keep on top of any possible holes/bugs/spammers. I=20
> don't like running services out of my house unless I need to, mostly=20
> because I don't have the time.
The simple solution to this is to firewall off all the ports, and
configure the app (the IMAP daemon, in this case) to only listen on
localhost/127.0.0.1. Then set up SSH port forwarding.
I do this, so the schematic looks something like:
.---------------------------------.
| Laptop |
| |
| .----------------------------. |
| | IMAP client | |
| | connects to localhost:7143 | |
| `------+---------------------' |
| | |
| .------v---------------------. |
| | ssh daemon | |
| | listens on localhost:7143 | |
| | forwards to remote:22 | |
| `-----------------+----------' |
`------------------]|[------------'
| <-- Untrusted Internet connection
|
.------------------]|[------------.
| Server | |
| | |
| .-----------------v----------. |
| | ssh daemon | |
| | listens on port 22 | |
| | forwards to localhost:143 | |
| `------+---------------------' |
| | |
| .------v---------------------. |
| | IMAP daemon | |
| | Listens on localhost:143 | |
| `----------------------------' |
`---------------------------------'
The beauty of this is that it works for any protocol[1], irrespective of
whether or not the protocol has built in security support, or whether or
not you want to go through the hassle of configuring it (e.g., most IMAP=20
servers speak SSL, but you need to make sure the client and server=20
interoperate).
It also works pretty much anywhere, as long as you can reach port 22 on
the Internet facing side of your server[2] -- no IPSec to configure, or=20
other bits to worry about. And it works on any OS that has an SSH port
forwarding app, which, apart from the *nix's, includes things like
Windows, if that's important to you.
With this approach you need precisely one hole in the firewall for
inbound traffic (port 22), and you need to trust exactly one daemon,
sshd. Remote holes in the other daemons (IMAP, etc) don't matter[3],
because the outside world can't get to them to exploit them.
N
[1] OK, sensibly designed protocols only. Things like FTP in non-PASV
mode don't count...
[2] For example, you'd be surprised how many of those "Internet access
in your hotel room" services will block ports 80 and 110 until=20
you've paid the $20 a day charge, but leave port 22 open...
[3] Or at least, don't matter as much. Obviously, if your IMAP server=20
has an exploitable hole that gives the attacker root privs, *and*=20
there's an ssh hole such that untrusted users can log in in order
to then exploit the IMAP hole, all bets are off.
--=20
FreeBSD: The Power to Serve http://www.freebsd.org/ (__)
FreeBSD Documentation Project http://www.freebsd.org/docproj/ \\\'',)
\/ \=
^
--- 15B8 3FFC DDB4 34B0 AA5F 94B7 93A8 0764 2C37 E375 --- .\._/=
_)
--vOmOzSkFvhd7u8Ms
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+1+Xhk6gHZCw343URApFcAJwKHUWJLDMAt+TbsQSWD36FKSBUgACfaBWS
cEPvkyW9TKooEjsVEFFsv3A=
=GeGl
-----END PGP SIGNATURE-----
--vOmOzSkFvhd7u8Ms--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030530231441.GD55077>