Date: Tue, 29 Oct 2013 08:54:04 +0100 From: Robert Schetterer rs@sys4.de To: dovecot@dovecot.org Subject: Re: [Dovecot] Encryption solution for messages at rest Message-ID: 526F699C.9080402@sys4.de Content-Type: text/plain; charset=ISO-8859-1

you shouldnt host mail/imap services on the same servers with massive http hosting,

You shouldn't host anything else on a webserver FULLSTOP.

Webservers are best treated as "disposable" and should be heavily sandboxed. Any resources they can use should be vetted and ideally set as "read only"

Inbound external access should be firewalled down to the webserver ports and OUTBOUND traffic should be firewalled too (If it has no business initiating external connections then block all SYNs), in order to stop it becoming a DDoS zombie.

It's foolish (at best) to have mail servers running on a webserver, because if it's compromised it can immediately be used as a spam engine without much further effort.

At least if it has to hand mail off to another mailserver you have a chance to run outbound filtering on the emitted mail without worrying about that being compromised too.