[Dovecot] secure email server
Hello
I have to setup a "secured" email server
- encrypted filesystem
- SSL or TLS only for SMTP and IMAPS
- Talking only to some known other same-secured servers
Any info/links welcome !
Please do not start some flame war around this !
I've been ordered to set up such server and I KNOW there are probably security holes but nothing's perfect so a starting point is necessary
*Thank you for any infos*
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Oct 2013, BONNET, Frank wrote:
I have to setup a "secured" email server
- encrypted filesystem
hmm. First define what "encrypted" means in this case, the whole partition with one master key, encrypted for each user, ... . For the first, several block device level approaches exist, for the latter check out AFS or Encfs.
- SSL or TLS only for SMTP and IMAPS
Well, if you use an inspecting firewall, that checks the traffic, you will be on the save side of life.
Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in Dovecot.
- Talking only to some known other same-secured servers
use an IP firewall.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmd8+l3r2wJMiz2NAQIgVAf+Jx3D8hOty+6vDZ8O5jfU0CoLRr8w/8AR xqKpZ3+oTd5AR7PsK7YjI+PbW1h3NAgYHn9ms8ANDbG2bdEYUoVg6TNjXFtom1Rp dIDrTWeZg/8ese+EtxtG2UZeUS11rP41xpQzpKCHjvO/4Ght0aM5sXonkiLNX/39 NffNOhUB1hCF7eFeVmnm3aexr+bKY8b6MqmRKRXQZsgghoNcAxu0sSXd3+02t/ty brLLhzg3oTPaePSQ72x3FNklhpntyHGOELF8Lun8xCn9hsHCPhBQYRE0eW3G3Qyp TDCix5UZh7hx8BqNmy3DqIKQza9/M9h+MHpd4j+UL+GOHC324JwAJg== =WULk -----END PGP SIGNATURE-----
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ?
For the access question , yes I will use a Juniper firewall ( is it safe to use Juniper ? )to filter IMAP and SMTP access from the outside and the LAN
And yes STARTTLS will be used for both SMTP & IMAP access
*Frank BONNET*
Systemes UNIX et Reseaux
ESIEE PARIS
01.45.92.66.17 - 06.70.37.37.69
2013/10/23 Steffen Kaiser skdovecot@smail.inf.fh-brs.de
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Oct 2013, BONNET, Frank wrote:
I have to setup a "secured" email server
- encrypted filesystem
hmm. First define what "encrypted" means in this case, the whole partition with one master key, encrypted for each user, ... . For the first, several block device level approaches exist, for the latter check out AFS or Encfs.
- SSL or TLS only for SMTP and IMAPS
Well, if you use an inspecting firewall, that checks the traffic, you will be on the save side of life.
Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in Dovecot.
- Talking only to some known other same-secured servers
use an IP firewall.
- -- Steffen Kaiser
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmd8+**l3r2wJMiz2NAQIgVAf+Jx3D8hOty+**6vDZ8O5jfU0CoLRr8w/8AR xqKpZ3+oTd5AR7PsK7YjI+**PbW1h3NAgYHn9ms8ANDbG2bdEYUoVg**6TNjXFtom1Rp dIDrTWeZg/8ese+**EtxtG2UZeUS11rP41xpQzpKCHjvO/**4Ght0aM5sXonkiLNX/39 NffNOhUB1hCF7eFeVmnm3aexr+**bKY8b6MqmRKRXQZsgghoNcAxu0sSXd**3+02t/ty brLLhzg3oTPaePSQ72x3FNklhpntyH**GOELF8Lun8xCn9hsHCPhBQYRE0eW3G**3Qyp TDCix5UZh7hx8BqNmy3DqIKQza9/**M9h+MHpd4j+UL+GOHC324JwAJg== =WULk -----END PGP SIGNATURE-----
On 2013-10-23 13:21, Reindl Harald wrote:
Am 23.10.2013 13:16, schrieb BONNET, Frank:
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs?
dovecot and postfix are userland-applications it's not their job to bother about a filesystem this is a kernel-task
Not all userland applications work equally well with all filesystems (consider programs which work poorly with NFS because they are built around the assumption that certain syscalls are fast).
- Frerich
On Mit, 2013-10-23 at 15:21 +0200, Frerich Raabe wrote:
On 2013-10-23 13:21, Reindl Harald wrote:
Am 23.10.2013 13:16, schrieb BONNET, Frank:
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs?
dovecot and postfix are userland-applications it's not their job to bother about a filesystem this is a kernel-task
Not all userland applications work equally well with all filesystems (consider programs which work poorly with NFS because they are built around the assumption that certain syscalls are fast).
That assumption is somewhat optimistic and - thus - these applications are obviously buggy.
Since Dovecot works on NFS, it should work with almost all filesystems and (relatively) slow ones too. And MTAs (like postfix) are also build for (and used in) large systems so they should better work on NFS and slow I/O too.
Bernd-- Bernd Petrovitsch Email : bernd@petrovitsch.priv.at LUGA : http://www.luga.at
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 23.10.2013 13:16, schrieb BONNET, Frank:
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ?
i am not an expert with crypto filesystems, but from my few, depend to "mail" this would be a feature "on top" ( additional to i.e vpn, ssl, tls, gpg ) , the main problem may be ever, you have to mount the mailbox partition read/writable to dovecot, so you might not get what youre hoping to get from the security sight
For the access question , yes I will use a Juniper firewall ( is it safe to use Juniper ? )to filter IMAP and SMTP access from the outside and the LAN
that looks also "on top" to me, if this is a "closed net" you might choose ports with ssl/tls what you like, or simply "start" only secure standard ports, additional overlay with local firewall, using a boarder firewall too, should not hurt anyway
the mail setup youre goal is deeply relate to the "paranoid" level you have/want to match, let me give an example, however you manage super secure servers inkl vpn, ssl, tls , gpg, but your users have insecure client computers and/or Os Types there will be ever a hole ,to brake in, also from paranoia level high.. ,it shouldnt be allowed to connect to that system with i.e imap clients which are not open software, closed software may enable spy before any crypt mech has taken place. At the end there will be ever code bugs.
So there is no "secure" mail server , there ever will exist a mail setup which match the security level you want or have to match.
And yes STARTTLS will be used for both SMTP & IMAP access
*Frank BONNET*
Systemes UNIX et Reseaux
ESIEE PARIS
01.45.92.66.17 - 06.70.37.37.69
2013/10/23 Steffen Kaiser skdovecot@smail.inf.fh-brs.de
On Wed, 23 Oct 2013, BONNET, Frank wrote:
I have to setup a "secured" email server
- encrypted filesystem
hmm. First define what "encrypted" means in this case, the whole partition with one master key, encrypted for each user, ... . For the first, several block device level approaches exist, for the latter check out AFS or Encfs.
- SSL or TLS only for SMTP and IMAPS
Well, if you use an inspecting firewall, that checks the traffic, you will be on the save side of life.
Does IMAPS means: no STARTTLS over IMAP? Then drop the imap listener in Dovecot.
- Talking only to some known other same-secured servers
use an IP firewall.
-- Steffen Kaiser
Best Regards MfG Robert Schetterer
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJSZ8l4AAoJEP8jBObu0LlEmQEH/ioFzWv3RWX3amK0pdEMPUF8 0w5S8uLO2Ho2TsajzaJrKPSj3ln3uLcAjtvMn/iYh/0SyR2ksRzX9jZMk2MSXKgu pww8Xfv/d75/tJ+mcdzRUy/lvB0z0XcqkbWQdRuAUq/wNwzOddX1p1WJX5LTFoyv qR8OIsn66JwGsUAdrmgKkCWe/FBjr9YQ0JJ1AOiXc1FcU+shceAhMelJKpi9PTzX FbOjRVRywpmxT+z4aiPS2XeSWe3N2TCXGwINFZUMJcgWkX77CeTH6Z7NIq2cCnWk gbTpqU6eTThuWfKvf9V5tVgSNo+sLk2J5pfJFOFLe+ZdNMK1CN7kKRCGxJEW2wI= =qKE5 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wed, 23 Oct 2013, Robert Schetterer wrote:
Am 23.10.2013 13:16, schrieb BONNET, Frank:
my first question is : does postfix and dovecot are able to use an encrypted filesystem such as Encfs ?
i am not an expert with crypto filesystems, but from my few, depend to "mail" this would be a feature "on top" ( additional to i.e vpn, ssl, tls, gpg ) , the main problem may be ever, you have to mount the mailbox partition read/writable to dovecot, so you might not get what
With PAM you can mount AFS and EncFS user volumes with the user password transparently. (Well, I did not used EncFS in production, but in theory). So, each Dovecot process would run with special user privilegues to access the user's mails.
That however imposes the problem, how mails are delivered into the mail storage without some sort of master user, because the MDA does not gain the user privilegues without the user's password. Maybe, for that a "pending INBOX" had to be created, from where the user slurps the new mails on login with the snarf plugin.
youre hoping to get from the security sight
Yes, I agree.
And yes STARTTLS will be used for both SMTP & IMAP access
With Dovecot you can use the "secure" variable, dunno if this works with PMA though.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux)
iQEVAwUBUmftwl3r2wJMiz2NAQIPpQgAt3O3fZ68L2XyAOvTE9vmaiAQfuRIqoIK 6L5kBogZ+l8cESdlX5L/sotsOaMTWd4UisapvtsAurLavOQgB7rOBK7+/RVWX9Mj n5pPHNBK7T0V8n6p1NI74jpsEkNuWRk4D7UGP0wa1Jypul50rF/icZHjJfeP011p tQsgfziSZRZSi9cwSFFYUMPAqagljyQyr8nQ5D7DtrUd9rcbvfAkXACIPx8jjAUz g1sr0vprv44poLSjh7djBgDFSN4hbViynj86i8YMf10RYq8s9eNnEhHrzeVpVdj+ BlwvafT+TMl7NdFPnqYZHj1difp70YH00LM/INZfZWfRxCENjGo/TQ== =AHnD -----END PGP SIGNATURE-----
participants (6)
-
Bernd Petrovitsch
-
BONNET, Frank
-
Frerich Raabe
-
Reindl Harald
-
Robert Schetterer
-
Steffen Kaiser