Hi , every body
a question : How secure is qmail-ldap????
Howto secure qmail-ldap????
When a qmail-ldap machine receives an email ,it will:
-connect to the ldapserver
-bind/authenticate using DN /username in file
ldaplogin and password in file ldappassword
-retrieve the user information
The communication between the qmail-ldap server and
ldapserver is not encrypted.
What if somebody used an sniffer to steal the
ldaplogin username and
ldappassword password, steal the retrieved user
information ?
Then the badguy has access to your ldap server,he
could read ,modify, delete entries in your
ldapserver? Very bad!!!
The retrieved user information contains the pop user
password(userpassword attribute)
The bad guy can then read other people mail.
My ideas:
-restrictive ACL
configure ldapserver with ACL ,so that the "ldaplogin
" user has only read permission to every
qmail-user attribute except the userpassword attribute
Only the qmail-user may read their own userpassword
attribute
Doing this,if the ldaplogin password get sniffed or
stolen than the bad guy cannot read the userpassword
attribute
Use file "~/control/ldaprebind" ,If enabled (1),
qmail-ldap does not try to retrieve the
userpassword-attribute from ldap, instead, it tries to
bind to the ldap server using the looked
up DN and the supplied password (affects auth_pop and
auth_imap). This allows your ACL to be more
restrictive, nobody except the user himself needs the
right to retrieve his password from the ldap
directory.
-tcpwrappers
With tcpwrappers you can grant/deny access to based on
ldapclient IP address, so only grant access to your
ldapserver to only the qmail - ldap machines with
tcpwrappers.
-one master slapd and on every qmail-ldap machine a
slave slapd ,qmail-ldap does lookup on the local
machine( ~control/ldapserver = 127.0.0.1). Master
slapd (slurpd) replicates if ldapmodification are
made.
Don't like this idea, because of you need more ldap
servers than neccesary
More ideas ???
Popaccess
-popclient sends username + passwd to qmail popserver
-qmail popserver will retrieve userinformation and
user password from ldapserver to verify the
user.
Same problem ,the communication between qmailpopserver
and ldapserver is not encrypted sb could use a sniffer
to steal the username and password.
My idea's:
-SSL encryption between qmail-pop server and Popclient
,Courier imap currently supports SSL
encryption over IMAP. Well-known
More ideas ??
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
