[Dovecot] secure email server

Robert Schetterer rs at sys4.de
Wed Oct 23 16:05:02 EEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 23.10.2013 13:16, schrieb BONNET, Frank:
> my first question is : does postfix and dovecot are able to use an 
> encrypted filesystem such as Encfs ?

i am not an expert with crypto filesystems, but from my few, depend to
"mail" this would be a feature "on top" ( additional to i.e vpn, ssl,
tls, gpg ) , the main problem may be ever, you have to mount the
mailbox partition read/writable to dovecot, so you might not get what
youre hoping to get from the security sight

> 
> For the access question , yes I will use a Juniper firewall ( is it
> safe to use Juniper ? )to filter IMAP and SMTP access from the
> outside and the LAN

that looks also "on top" to me, if this is a "closed net" you might
choose ports with ssl/tls what you like, or simply "start" only secure
standard ports, additional overlay with local firewall, using a
boarder firewall too, should not hurt anyway

the mail setup youre goal is deeply relate to the "paranoid" level you
have/want to match, let me give an example, however you manage super
secure servers  inkl vpn, ssl, tls , gpg, but your users have insecure
client computers and/or Os Types there will be ever a hole ,to brake
in, also from paranoia level high.. ,it shouldnt be allowed to connect
to that system with i.e imap clients which are not open software,
closed software may enable spy before any crypt mech has taken place.
At the end there will be ever code bugs.

So there is no "secure" mail server , there ever will exist a mail
setup which match the security level you want or have to match.

> 
> And yes STARTTLS will be used for both SMTP & IMAP access
> 
> 
> *Frank BONNET*
> 
> Systemes UNIX et Reseaux
> 
> ESIEE PARIS
> 
> 01.45.92.66.17 - 06.70.37.37.69
> 
> 
> 2013/10/23 Steffen Kaiser <skdovecot at smail.inf.fh-brs.de>
> 
> On Wed, 23 Oct 2013, BONNET, Frank wrote:
> 
> I have to setup a "secured" email server
>>>> 
>>>> - encrypted filesystem
>>>> 
> 
> hmm. First define what "encrypted" means in this case, the whole
> partition with one master key, encrypted for each user, ... . For
> the first, several block device level approaches exist, for the
> latter check out AFS or Encfs.
> 
> 
> - SSL or TLS only for SMTP and IMAPS
>>>> 
> 
> Well, if you use an inspecting firewall, that checks the traffic,
> you will be on the save side of life.
> 
> Does IMAPS means: no STARTTLS over IMAP? Then drop the imap
> listener in Dovecot.
> 
> 
> - Talking only to some known other same-secured servers
>>>> 
> 
> use an IP firewall.
> 
> -- Steffen Kaiser
> 
>> 
> 

Best Regards
MfG Robert Schetterer

- -- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJSZ8l4AAoJEP8jBObu0LlEmQEH/ioFzWv3RWX3amK0pdEMPUF8
0w5S8uLO2Ho2TsajzaJrKPSj3ln3uLcAjtvMn/iYh/0SyR2ksRzX9jZMk2MSXKgu
pww8Xfv/d75/tJ+mcdzRUy/lvB0z0XcqkbWQdRuAUq/wNwzOddX1p1WJX5LTFoyv
qR8OIsn66JwGsUAdrmgKkCWe/FBjr9YQ0JJ1AOiXc1FcU+shceAhMelJKpi9PTzX
FbOjRVRywpmxT+z4aiPS2XeSWe3N2TCXGwINFZUMJcgWkX77CeTH6Z7NIq2cCnWk
gbTpqU6eTThuWfKvf9V5tVgSNo+sLk2J5pfJFOFLe+ZdNMK1CN7kKRCGxJEW2wI=
=qKE5
-----END PGP SIGNATURE-----


More information about the dovecot mailing list