If you are going to use an imap proxy for security reasons, consider using a software DIFFERENT than in your real mailboxes. If you use dovecot in your backend, you could use perdition in the frontend.
Regards
Maria
----- Original Message ----- From: Ed W Sent: 11/03/11 11:31 AM To: Dovecot Mailing List Subject: Re: [Dovecot] Imap/pop gateway
On 31/10/2011 22:20, nuno marques wrote: > > > > Hello, > How can i make a imap/pop gateway? that is, putting the mailboxes on a server on the internal network and put the gateway in the dmz. > The question isn't entirely clear, but I *think* you just want to use the normal "proxy" feature of dovecot. This accepts connections on one machine, examines them until the end of the auth stage and passes them onto some other machine based on the results of the auth process Also there are other imap/pop proxies such as nginx That said I'm not sure how much security this really buys you versus port forwarding POP/IMAP ports to your real server? If the proxy machine were to get hacked (over imap?) then the same hack can jump from the proxy to the real server. Also your only exposure in each case is via POP/IMAP, which means you would be mainly chasing buffer overflow vulnerabilities and the like. These can also be mitigated by chrooting the server machine (please consider virtualisation options, it's usually simpler/faster/saner, eg see my favourite: linux-vservers), MAC controls on the dovecot process (grsec/selinux, etc), and compiler extensions (gcc hardened) Good luck Ed W
participants (1)
-
Maria Arrea