wondering what measures are wise to take to secure IMAP when running live over the internet. IMAP is an old fashioned protocol and is insecure by design. i'd like to try running JAMES IMAP live @ ApacheCon EU from a server in the UK but i want to think about security first. i have a few questions but would appreciate it if people jump in with general advice even if it's not covered by the questions.
IMAP is not a secure protocol. running securely means deviating from the specification. AIUI JAMES ships with standard configurations which are specification compliant. it seems a little foolish to allow an untrusted client to try arbitrary input against the complexity of the fully featured parser before logging in. perhaps a secure encoder could be used before the client has logged on. seems foolish to allow an untrusted client to create a socket and then have the server retain the connection without logging in for at least 30 minutes before timing it out. seems foolish to allow an untrusted client unlimited chances to login over the same TLS session may want to be able to increase the difficulty of dictionary attacks by blocking connections from IPs which fail to login too many times. similarly, may want to block too many simultaneous connections from untrusted clients from the same IP which haven't been logged in. opinions? - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
