[Swlug] imap server and smartphone

Dave Cridland dave at cridland.net
Fri Sep 23 08:54:59 UTC 2016


On 23 September 2016 at 08:30, Justin Mitchell via Swlug
<swlug at mailman.lug.org.uk> wrote:
> On Fri, 2016-09-23 at 02:53 +0100, Ben Tullis via Swlug wrote:
>> 3: You could open your IMAP port to the world, but protect it
>> cryptographically, then use an IMAP client on the phone
>>  - Use client-authenticating TLS so that you need to provide a valid
>> digital certificate before you can connect to the port
>>  - Add your self-signed CA and client certificates to your phone
>>  - You can generate your own self-signed CA certificate and client
>> certificate - Something like XCA can help here:
>> (http://xca.sourceforge.net/)
>>  - You can use stunnel (https://www.stunnel.org) to be the
>> authenticating proxy, so that you don't have to modify the Cyrus
>> configuration much, if at all.
>>  - If you have an Android phone, sometimes they complain when you add
>> a
>> self-signed CA certificate. If it's rooted, you can get around this
>> with: CADroid
>> (https://play.google.com/store/apps/details?id=at.bitfire.cadroid&hl=
>> en_GB)
>>
>
> If you don't fancy messing with self-signed CAs, and you have your own
> domain name you're using, you can get a widely trusted certificate for
> free these days quite easily.
>
> Signup to either https://startssl.com or https://letsencrypt.org
> and create a free SSL/TLS certificate for your domain name.
>

NOT StartSSL - they seem to have been bought by a somewhat duplicitous
Chinese company.

Let's Encrypt are free, and the only mild downside is that their
certificates expire fairly quickly (but you just re-run the script and
get a new one). You also don't need your "own" domain name; they'll
cheerfully handle any stable domain name you have.

> Then enable TLS (STARTTLS) mode on your imap server, and on your smtp
> server (for sending)

If you're running your own SMTP server, you want to run it with both
authentication and encryption, and on port 587 for submission. Port 25
is often blocked by ISPs.

This all said, with Cyrus and Postfix you're pretty solid, as long as
you've not done anything daft like enable plain-text logins without
TLS.

>
>
>
> _______________________________________________
> Swlug mailing list
> Swlug at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/swlug



More information about the Swlug mailing list