[Swlug] imap server and smartphone

Matt Willsher matt at monki.org.uk
Fri Sep 23 08:03:17 UTC 2016 


> On 23 Sep 2016, at 02:53, Ben Tullis via Swlug <swlug at mailman.lug.org.uk> wrote:
> 
> Good reply Ben. I have some additional thoughts and questions.
> 
> 2: You could open your IMAP port to the world, but protect it a bit,
> then use an IMAP client on the phone
> - Run the public IMAP service on a non-standard port number, using your
> firewall to forward the incoming traffic to the normal port

While this stops drive by port scans, I've found remembering the ports if I need access from elsewhere to be awkward. If the server is kept patched then leaving it on the public port would be okay. Fail2ban is a must though, ideally with a longer block time than the default 10 minutes. Be sure to add your home network and perhaps work IP as exclusions to the block list to avoid accidental lock outs.

> 3: You could open your IMAP port to the world, but protect it
> cryptographically, then use an IMAP client on the phone
> - Use client-authenticating TLS so that you need to provide a valid
> digital certificate before you can connect to the port

This is the gold standard really. From my experience, managing the certs can be a bit awkward, as can be setting them up in the first place with reasonable ciphers and hashes. For mobile use, I understand ECDSA has less computation overhead if the client supports it and can save on battery life on the phone if it's checking in the background.

You should also use an SSL cert for IMAP even if you don't use a client certificate. A simple self signed one is fine if you can trust the public cert on your phone. Otherwise there is startssl, which is free and will be in the trust store already, CAcert which needs to CA loading but then gives free certs or let's encrypt which automatically creates and manages certs for free. Let's encrypt is perhaps the best choice here but it has a bit of a learning curve and the plethora of tools that support it doesn't help - some are good, some are not so good.

Make sure you have strong passwords ( I use at least 20 chars random number, case, symbol these days, but a 4 or 5 long word password is easier to manual enter and remember)

Also be sure that you only have users able to authenticate that have mail boxes. 

Over an encrypted connect PLAIN or LOGIN authentication to Cyrus is fine.

A proxy in from of the server isn't a bad ideas either. Either stunnel as Ben says or Nginx, which can terminate the SSL connection for you so you don't have to touch Cyrus.

My question is what is a good way to manage the CA and certs for client authentication? Is OpenSSL still the best option or are their tools that make it easier to use current good practice?

Have fun!

Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/swlug/attachments/20160923/15898bc6/attachment.html>

More information about the Swlug mailing list