If you are going to use an imap proxy for security reasons, consider using a
software DIFFERENT than in your real mailboxes. If you use dovecot in your
backend, you could use perdition in the frontend.
Regards
Maria
- Original Message -
From: Ed W
Sent: 11/03/11 11:31 AM
To: Dovecot Mailing List
Subject: Re: [Dovecot] Imap/pop gateway
On 31/10/2011 22:20, nuno marques wrote: > > > > Hello, > How can i make a
imap/pop gateway? that is, putting the mailboxes on a server on the internal
network and put the gateway in the dmz. > The question isn't entirely clear,
but I *think* you just want to use the normal "proxy" feature of dovecot. This
accepts connections on one machine, examines them until the end of the auth
stage and passes them onto some other machine based on the results of the auth
process Also there are other imap/pop proxies such as nginx That said I'm not
sure how much security this really buys you versus port forwarding POP/IMAP
ports to your real server? If the proxy machine were to get hacked (over imap?)
then the same hack can jump from the proxy to the real server. Also your only
exposure in each case is via POP/IMAP, which means you would be mainly chasing
buffer overflow vulnerabilities and the like. These can also be mitigated by
chrooting the server machine (please consider virtualisati
on options, it's usually simpler/faster/saner, eg see my favourite:
linux-vservers), MAC controls on the dovecot process (grsec/selinux, etc), and
compiler extensions (gcc hardened) Good luck Ed W
