On Thu, Mar 27, 2008 at 8:40 AM, Antony Bowesman <[EMAIL PROTECTED]> wrote: > Robert Burrell Donkin wrote: > > > IMAP is not a secure protocol. running securely means deviating from > > the specification. AIUI JAMES ships with standard configurations which > > are specification compliant. > > Using STARTTLS, LOGINDISABLED and AUTHENTICATE with a non clear text SASL > implementation is not deviating from the spec.
RFC2595 is an additional standard. when privacy mode is on it is incompatible with clients written to IMAP4rev1. but you're right that it would not be unreasonable to ship with RFC2595 privacy mode on > > seems foolish to allow an untrusted client to create a socket and then > > have the server retain the connection without logging in for at least > > 30 minutes before timing it out. > > The 30 minute timer is 'autologout', so if the client has not authenticated, > either with LOGIN or AUTHENICATE, then technically, the client is not logged > in, > therefore the 30 minute timer does not apply. yes, i agree it's very reasonable to read the specification in this way this will mean a change to the JAMES bio framework to introduce two timeouts parameters > > seems foolish to allow an untrusted client unlimited chances to login > > over the same TLS session > > That statement is actually against the spec! Section 11.2 states > > A server SHOULD have mechanisms in place to limit or delay failed > AUTHENTICATE/LOGIN attempts. good spot 8-) thanks - this is in RFC3501 but not in RFC2060. 3501 is much better in many ways (but some of the recommendations may break older clients) i can't find explicit mention in 3501 about the use of BYE in this situation but it seems reasonable to me (hopefully someone will set me straight if i'm mistaken) > > may want to be able to increase the difficulty of dictionary attacks > > by blocking connections from IPs which fail to login too many times. > > similarly, may want to block too many simultaneous connections from > > untrusted clients from the same IP which haven't been logged in. > > Our IMAP server allows IP address blacklists and sends an immediate BYE > response > to a connecting client from any one of those addresses. This is also spec > conformant - see 7.1.4 (4). 7.1.5 but yes, you're right immediate BYE is allowed at connection startup > In general, IMAP, although an old protocol with a number of problems, is > still > widely used and actively developed. Just take a look at the imapext and > Lemonade working groups. Lemonade in particular specifically targets IMAP > for > use with mobile devices. Our IMAP server provides secure IMAP service for > mobile devices. true - robert --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
