On Tue, Jan 07, 2003 at 01:25:34PM -0500, Doug Koobs wrote:
> I'm running a RH 8 server for SMTP, IMAP, and webmail services. It's
> running imap-2001a-15, php-imap-4.2.2-8.0.5, and squirrelmail-1.2.8-1,
> along with pop-before-smtp. When I access my mailbox over the Internet
> from either an IMAP client such as Outlook Express, or access Webmail via
> a browser, the authentication is not encrypted, and as far as I can see, I
> am sending my username and password clear-text over the Internet. Any
> pointer on how I can make this more secure? Thanks!!
Use SSL.
There's an SSL enabled version of uw-imap (imap2001a) that you
may use. In a pinch, you can use stunnel (stunnel.org) to wrap any
IMAP/POP3 server.
Outlook Express supports SSL encrypted sessions. SSL POP3 uses the well
known port 993, and SSL IMAP uses port 995.
If you're ultra paranoid, you may use the old IANA previously reserved port
of 465 for SSL SMTP from older Mozilla and Microsoft mailers. IANA
killed this however, 465 is no longer officially a reserved port for
this purpose. Be forewarned: the correct method for supporting SSL SMTP now
is with the ESMTP "STARTTLS" command - you will need a newer version of
sendmail to support this.
You should apache mod_ssl your squirrelmail as well, if you haven't
already. I prefer IMP/HORDE - which supports SSLed IMAP/POP3 natively
should your web server be on a different box than your mail server.
Having just went through the pain of converting my blenke.com mail to
DRAC enabled uw-imap-ssl-2001a and sendmail with STARTTLS, I can
honestly say that things should be easier than this ;)
- Ian C. Blenke <ian@blenke.com> <icblenke@nks.net> http://ian.blenke.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 13:00:57 EDT