Hello,
Replies inline...
Patrick Nagel wrote:
Hi Richard,
On 2009-09-03 16:38, Richard Hobbs wrote:
Currently, on our new test server, I am offering IMAP on 143 and POP3 on 110.
We would like to enable security on both of these protocols to attempt to eliminate the risk from an internal password-grabbing/content-grabbing attack.
I presume this would mean enabling SSL, and a more securure authentication, right? Or are plain text passwords just sent over the SSL, and therefore perfectly secure?
Yes, plain text passwords are fine with SSL/TLS, since the connection gets secured before the password is sent.
OK, I'll do that then, unless it's not commonly what's done for some reason...
Also, what are the steps to enable security for these protocols on an already-configured server?
Is it possible to offer encrypted and non-encrypted services simultaneously, so people have a choice of whether they want security or not? I know that's a bit weird, but for testing it would be useful.
No problem. Basically you just need to specify the certificate (ssl_cert_file) and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to 'protocols'.
Thanks for the advice - how do i generate ssl cert files and ssl key files? Also, various people access our mail server over IP, or various different hostnames - can all of those be built into the key/cert files so they aren't continually warned about hostname mismatches?
Finally, is there a way to monitor which users are connecting over the secure ports and which users are connecting over the non-secure ports?
You can see it in the log.
Excellent.
Thanks again, Richard.
-- Richard Hobbs (IT Specialist) Toshiba Research Europe Ltd. - Cambridge Research Laboratory Email: richard.hobbs@crl.toshiba.co.uk Web: http://www.toshiba-europe.com/research/ Tel: +44 1223 436999 Mobile: +44 7811 803377