-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 23.10.2013 13:16, schrieb BONNET, Frank:
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ?
i am not an expert with crypto filesystems, but from my few, depend to "mail" this would be a feature "on top" ( additional to i.e vpn, ssl, tls, gpg ) , the main problem may be ever, you have to mount the mailbox partition read/writable to dovecot, so you might not get what youre hoping to get from the security sight
For the access question , yes I will use a Juniper firewall ( is it safe to use Juniper ? )to filter IMAP and SMTP access from the outside and the LAN
that looks also "on top" to me, if this is a "closed net" you might choose ports with ssl/tls what you like, or simply "start" only secure standard ports, additional overlay with local firewall, using a boarder firewall too, should not hurt anyway
the mail setup youre goal is deeply relate to the "paranoid" level you have/want to match, let me give an example, however you manage super secure servers inkl vpn, ssl, tls , gpg, but your users have insecure client computers and/or Os Types there will be ever a hole ,to brake in, also from paranoia level high.. ,it shouldnt be allowed to connect to that system with i.e imap clients which are not open software, closed software may enable spy before any crypt mech has taken place. At the end there will be ever code bugs.
So there is no "secure" mail server , there ever will exist a mail setup which match the security level you want or have to match.
And yes STARTTLS will be used for both SMTP & IMAP access
*Frank BONNET*
Systemes UNIX et Reseaux
ESIEE PARIS
01.45.92.66.17 - 06.70.37.37.69
2013/10/23 Steffen Kaiser skdovecot@smail.inf.fh-brs.de
On Wed, 23 Oct 2013, BONNET, Frank wrote:
I have to setup a "secured" email server
- encrypted filesystem
hmm. First define what "encrypted" means in this case, the whole partition with one master key, encrypted for each user, ... . For the first, several block device level approaches exist, for the latter check out AFS or Encfs.
- SSL or TLS only for SMTP and IMAPS
Well, if you use an inspecting firewall, that checks the traffic, you will be on the save side of life.
Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in Dovecot.
- Talking only to some known other same-secured servers
use an IP firewall.
-- Steffen Kaiser
Best Regards MfG Robert Schetterer
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSZ8l4AAoJEP8jBObu0LlEmQEH/ioFzWv3RWX3amK0pdEMPUF8 0w5S8uLO2Ho2TsajzaJrKPSj3ln3uLcAjtvMn/iYh/0SyR2ksRzX9jZMk2MSXKgu pww8Xfv/d75/tJ+mcdzRUy/lvB0z0XcqkbWQdRuAUq/wNwzOddX1p1WJX5LTFoyv qR8OIsn66JwGsUAdrmgKkCWe/FBjr9YQ0JJ1AOiXc1FcU+shceAhMelJKpi9PTzX FbOjRVRywpmxT+z4aiPS2XeSWe3N2TCXGwINFZUMJcgWkX77CeTH6Z7NIq2cCnWk gbTpqU6eTThuWfKvf9V5tVgSNo+sLk2J5pfJFOFLe+ZdNMK1CN7kKRCGxJEW2wI= =qKE5 -----END PGP SIGNATURE-----