Robert Burrell Donkin wrote:
IMAP is not a secure protocol. running securely means deviating from the specification. AIUI JAMES ships with standard configurations which are specification compliant.
Using STARTTLS, LOGINDISABLED and AUTHENTICATE with a non clear text SASL implementation is not deviating from the spec.
seems foolish to allow an untrusted client to create a socket and then have the server retain the connection without logging in for at least 30 minutes before timing it out.
The 30 minute timer is 'autologout', so if the client has not authenticated, either with LOGIN or AUTHENICATE, then technically, the client is not logged in, therefore the 30 minute timer does not apply.
seems foolish to allow an untrusted client unlimited chances to login over the same TLS session
That statement is actually against the spec! Section 11.2 states A server SHOULD have mechanisms in place to limit or delay failed AUTHENTICATE/LOGIN attempts.
may want to be able to increase the difficulty of dictionary attacks by blocking connections from IPs which fail to login too many times. similarly, may want to block too many simultaneous connections from untrusted clients from the same IP which haven't been logged in.
Our IMAP server allows IP address blacklists and sends an immediate BYE response to a connecting client from any one of those addresses. This is also spec conformant - see 7.1.4 (4).
In general, IMAP, although an old protocol with a number of problems, is still widely used and actively developed. Just take a look at the imapext and Lemonade working groups. Lemonade in particular specifically targets IMAP for use with mobile devices. Our IMAP server provides secure IMAP service for mobile devices.
Antony --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
