Re: Security risk of POP3 & IMAP protocols
Adam Tauno Williams wrote: >> A friend of mine is asking me about security risks of using IMAP & >> POP3 protocols. Why? Because a sales person told my friend that IMAP >> protocol is less secure than POP3 protocol. This reminds me of a concern that was raised about U Wash IMAP and storage of mail in unix home directories. In that setup IMAP access is based on unix file system permissions, and IMAP will open files that are not mail files if the user has unix file permissions to open them-- including various system files. This always struck me as a bogus concern since the user could also telnet in and see the same files! The protocol itself is no less secure than POP. I don't understand why POP is still around. Joseph Brennan Columbia University Information Technology Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 & IMAP protocols
> A friend of mine is asking me about security risks of using IMAP & > POP3 protocols. Why? Because a sales person told my friend that IMAP > protocol is less secure than POP3 protocol. This assumption is not > related to Cyrus IMAP, instead is related only to the protocols. > I'm searching at Google something about POP3 & IMAP security but I'm > not pretty sure about comments I can found in forums or other sites. I'd write this claim off as bogus; use GSSAPI authentication and TLS and either is extremely secure. Your more pressing security vulnerabilities will certainly be elsewhere (the client OS and configuration, most likely). Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Security risk of POP3 & IMAP protocols
On Feb 12, 2009, at 2:49 PM, Jason Voorhees wrote: Hi people: A friend of mine is asking me about security risks of using IMAP & POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 & IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? I suppose that depends on one's definition of "security". There are secure authentication mechanisms available for both protocols, and you can use TLS. The more complex an application is the more opportunity there is for programmers to make mistakes or not properly validate inputs. Since IMAP is vastly more complicated that POP in it's operation, one could argue that an IMAP implementation is more likely to have exploitable bugs. Peter Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Security risk of POP3 & IMAP protocols
Hi people: A friend of mine is asking me about security risks of using IMAP & POP3 protocols. Why? Because a sales person told my friend that IMAP protocol is less secure than POP3 protocol. This assumption is not related to Cyrus IMAP, instead is related only to the protocols. I'm searching at Google something about POP3 & IMAP security but I'm not pretty sure about comments I can found in forums or other sites. Does anybody here know anything about security risk of these protocols? Is it true that one of them is less secure than the other one? Thanks, bye Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus DB Errors "DBERROR: error fetching user.username" even after reconstructs
On Thu, Feb 12, 2009 at 09:45:58AM -0600, Josh Whitver wrote: > It's actually possible we are using BDB - earlier in the mail server's > life we moved it from a PowerPC G5 Xserve to the Intel Xserve, and we > needed to work around the endian issues inherent in some part of the > mail server, so I recall converting a database in some direction, either > from BDB to skiplist or vice-versa. My memory escapes me now as to > which way we went, though. How would I check? grep mboxlist_db /etc/imapd.conf The default is skiplist, so it will be skiplist unless you have something else there. (but then, I know it's skiplist because I have a copy of it now!) Bron. Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
Re: Cyrus DB Errors "DBERROR: error fetching user.username" even after reconstructs
It's actually possible we are using BDB - earlier in the mail server's
life we moved it from a PowerPC G5 Xserve to the Intel Xserve, and we
needed to work around the endian issues inherent in some part of the
mail server, so I recall converting a database in some direction,
either from BDB to skiplist or vice-versa. My memory escapes me now
as to which way we went, though. How would I check?
--
Josh Whitver
whitv...@urbandale.k12.ia.us / j...@whitver.net
(If you can't hear me, it's because I'm in parentheses)
On Feb 11, 2009, at 8:40 PM, Bron Gondwana wrote:
>
> On Tue, 10 Feb 2009 15:59:09 -0600, "Josh Whitver"
> > said:
>> Whenever an IMAP connection is attempted, I see this in the log:
>> Feb 10 09:14:17 urbandale imap[34508]: DBERROR: error fetching user.
>> [username]: cyrusdb error
>
> OK - there are two spots in the code that can produce exactly that
> error message. One is in BDB, which I assume you're not using. The
> other is in mboxlist (latest CVS changes this one to "error fetching
> mboxlist user.[username]: [error]" to be clearer!)
>
> So, it's in mboxlist_mylookup. The specific error is being returned
> by:
>
>if (wrlock) {
>r = DB->fetchlock(mbdb, name, namelen, &data, &datalen, tid);
>} else {
>r = DB->fetch(mbdb, name, namelen, &data, &datalen, tid);
>}
>
>...
>
>default:
>syslog(LOG_ERR, "DBERROR: error fetching mboxlist %s: %s",
> name, cyrusdb_strerror(r));
>return IMAP_IOERROR;
>break;
>
> Sorry I didn't get back to you before. I really don't think I can
> debug this any further without a copy of your mailboxes.db file.
>
> I assume you've ruled out filesystem corruption by checking syslog/
> dmesg/
> whatever for signs of bad blocks?
>
> Bron.
> --
> Bron Gondwana
> br...@fastmail.fm
>
>
Cyrus Home Page: http://cyrusimap.web.cmu.edu/
Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
