[Dovecot] dovecot security with IPv6
Hi Timo, hi all others!
In fact, I've only read one person claiming that IPv6 support opens up "too many backdoors" [1], but anyway, as I intend to run just particular services, please give me your opinion if it's insecure to have a dovecot server, which is accessed through a public IPv6 address... (or note just shortly what else could give a firm ground to such claims...)
On 06/23/2011 02:23 AM, Kārlis Repsons wrote:
Hi Timo, hi all others!
In fact, I've only read one person claiming that IPv6 support opens up "too many backdoors" [1], but anyway, as I intend to run just particular services, please give me your opinion if it's insecure to have a dovecot server, which is accessed through a public IPv6 address... (or note just shortly what else could give a firm ground to such claims...)
I can't think of any backdoors introduced in IPv6. The trouble I foresee with IPv6 and email won't concern Dovecot, but some spam filtering.
Since the IPv6 address space is large, people can't expect to be successful by blocking spammers IP addresses one-by-one. Instead they will end up blocking entire subnets if that's a route they choose to go.
I know that Dovecot slows down/delays login attempts with multiple authentication failures. I guess the question to ask is whether this is source IP-based, or user name-based, or both. Anyone know the answer to this?
If it's source IP-based, then if I was an attacker with an IPv6 subnet assigned to me, I would just come at it with a different IP address each time to avoid the slowdown.
In short, that's the only real potential issue I could see.
Willie
That clown is a tad over paranoid...
The only real issue with devices using ipv6 is that most people become relaxed with security, preferring with ipv4 to do it all on the NAT box, with ipv6 there is no NAT, so if you have 5 machines, you need to configure full security on all. If you're an ISP/OSP/ESP, then you should already have appropriate security via your router and server, just remember though, if using linux you need to use ip6tables -as well as- iptables in your firewall rules script.
There is absolutely NO security risk in exposing any server port to the net, be it dovecot, apache, or bind ... or, whatever.
On Thu, 2011-06-23 at 08:23 +0000, Kārlis Repsons wrote:
Hi Timo, hi all others!
In fact, I've only read one person claiming that IPv6 support opens up "too many backdoors" [1], but anyway, as I intend to run just particular services, please give me your opinion if it's insecure to have a dovecot server, which is accessed through a public IPv6 address... (or note just shortly what else could give a firm ground to such claims...)
At 01:23 23-06-2011, KÄrlis Repsons wrote:
particular services, please give me your opinion if it's insecure to have a dovecot server, which is accessed through a public IPv6 address...
If you do not consider it as secure to run a Dovecot server on a public IPv4 address, the same applies for IPv6.
Regards, -sm
participants (4)
-
Kārlis Repsons
-
Noel Butler
-
SM
-
Willie Gillespie