Hi, Doesn't the IMAP connection only exist between the web host (for the webmail front end) and the mail server? If this is so then if that connection is "secured" on a DMZ or such like, then the only part that needs to be secured is the client to web server communication?
Regards, Paul Leroy -----Original Message----- From: Richard Garand [mailto:[EMAIL PROTECTED]] Sent: 27 November 2001 02:35 To: Branko Ivanovic; [EMAIL PROTECTED] Subject: Re: Squirrel Mail - just how secure it is? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On November 25, 2001 06:20 am, Branko Ivanović wrote: > I would like to ask if anyone has some expirience working with or security > auditing WebMail program, written in PHP, called SquirrelMail. As I can see > in version 1.06 and 1.2.0rc2 it is using IMAP, which I consider as highly > insecure protocol. Correct me please if I`m wrong. If it`s a bad choice for > WebMail access, then what are alternatives? I don't know about any insecurities in the IMAP protocol itself other than cleartext transmission (I would look for servers and clients that support some form of encryption, like I have with POP). I'm planning to use this too, but since it's only for a private online access system and it will be running on the mailserver, I plan to put it in a restricted section of my SSL server. - -- Richard Garand - r i c h a r d @ g a r a n d n e t . n e t (L)ICQ: 12190132 - http://www.garandnet.net "...systems wrongly configured with Microsoft SQL Server software..." -- ZDNet -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8At+9juZKnjxs0fMRAm+VAKC1ciSkrALRtWUIkEohVqv/JZCSqwCg+fij nqo9QIWIIvBOR16NOlitRbo= =JX8C -----END PGP SIGNATURE----- "This e-mail may contain confidential information and may be legally privileged and is intended only for the person to whom it is addressed. If you are not the intended recipient, you are notified that you may not use, distribute or copy this document in any manner whatsoever. Kindly also notify the sender immediately by telephone, and delete the e-mail. When addressed to clients of the company from where this e-mail originates ("the sending company ") any opinion or advice contained in this e-mail is subject to the terms and conditions expressed in any applicable terms of business or client engagement letter . The sending company does not accept liability for any damage, loss or expense arising from this e-mail and/or from the accessing of any files attached to this e-mail."
