[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

SUMMARY: [linux-security] IMAP security across the net

Since the number of responses to my query was large, Roger has asked me to summarise the information.

The summary is listed below

Thanks to all the people who bothered to help me out:
Alan Mead <adm ipat com>
Beattie, Jay <JBeattie accdir com>
Bruce Elrick <bruce elrick saltus ab ca>
Christian Hammers <ch lathspell westend com>
David J. M. Karlsen <david kvarteret uib no>
Dean Thompson <Dean Thompson csse monash edu au>
Ed Padin <epadin wagweb com>
Eugene Kanter <eugene blackcatlinux com>
Florian Helbing <flo rommel stw uni-erlangen de>
Graham Mainwaring <graham mhn org>
Horms <horms vergenet net>
Iain Wade <iwade optusnet com au>
JP Vossen <vossenjp netaxs com>
Jakub Skopal <jakub skopal sorcerer cz>
Jamie Beverly <jamie www how-toresource com>
Kurt Seifried <listuser seifried org>
Matthew B. Henniges <matt axl net>
Michael H. Warfield <mhw wittsend com>
Peter H. Lemieux <phl cyways com>
Petr Sulla <xsulla informatics muni cz>
Ren Sauceda, Computer Systems Engineer (kvsauceda lbl gov)
Shawn Robinson <srobins1 tps tci telus com>
Shawn Tagseth <stagseth bbm ca>
Stephen Peters <portnoy portnoy org>
Tomas Revesz <tomi neogenesis com>
Tony Annese <tony whidbey net>
alex cathy uuworld com



Blair.


 -----Original Message-----
 From: Blair Lowe [mailto:Blair Lowe compeng net]
 Sent: Wednesday, December 08, 1999 11:36 AM
 To: linux-security redhat com
 Subject: [linux-security] IMAP security across the net.


Hi,

We are wondering if anyone knows the security features of IMAP.

 I know (at least I think I know;) that plain POPMAIL uses no
 encryption on the password, and that APOP provides some encryption.

 Ideally we would like a secure system that is accessible from any
 laptop anywhere on the net.

 Thanks,
 Blair.
 --



-----Summary of all other messages-----

###########################
ANSWERS TO SECURITY QUERY
###########################

*************
Thread 1: imap and POP send cleartext passwords.

--
"David J. M. Karlsen" <david kvarteret uib no> wrote:

 IMAP defaults to cleartext passwords as well, try useing it with ssh, and
 you should be fine... Possible there's some support for mixing IMAP/SSL as
 well..


-
Ren Sauceda, Computer Systems Engineer (kvsauceda lbl gov) wrote:

 IMAP sends everything clear text just like POP. You'd need to run it
 over SSL to get encryption between the client and the IMAP mail store
 server. However, client support is limited: Netscape Messenger 4.6+,
 Outlook 98/2000, Outlook Express 5, and according to my sources.

 Personally, as a user that is, I like sshing into my mail server and
 checking my mail with pine when I'm on the road.


--
Christian Hammers <ch lathspell westend com> wrote:

 uw-imap and afaik cyrus imap, too have support for CRAM-MD5 (sp?)
 this is like APOP.

Any more links to info on these products?

--
Horms <horms vergenet net> wrote:

 I don't know a lot about IMAP but my understanding is that
 you can enable capabilities, if the server and client allow
 that will provide an encryptes session.

Sounds like SSL (see below).

--
"Graham Mainwaring" <graham mhn org>

 IMAP also sends the plaintext password across the network. However, it is
 possible to do IMAP-over-SSL (as well as POP-over-SSL) and get it to work
 with at least some mail clients. You do this using a tool called sslwrap on
 the server side. Alternatively, you might be able to do something with ssh
 port forwarding.


--
Alan Mead <adm ipat com> wrote:

 APOP encrypts passwords but not data.
 I'm not sure if IMAP encrypts the data; it is designed to offer more secure
 email connections than POP.  However I think SSL is a better choice; make
 everything web-based and accessed through a secure web server.  They'll
 need a root cert from your cert authority.  That probably means your
 clients will be forced to have a recent versions of IE or Navigator.

imap does not seem to be any more secure than regular pop (as I feared).

--




###########################
SOLUTIONS TO EMAIL SECURITY
###########################


*************
Thread 1: Eudora may not support SSL wrapper type of IMAP communications.

--
Jakub Skopal <jakub skopal sorcerer cz> wrote:


 Blair Lowe wrote:
 >
 > Where exactly is the setting for Eudora, or does it just work?
 >
 > Blair.
 >
 > Jakub Skopal <jakub skopal sorcerer cz> wrote:
 > >
 > >   consider using SSL wrapper for your IMAP, it'll provide on-the-fly
 > >encryption.
 > >Most of the current mail-readers support it (on windows Microsoft
 > >Outlook * os
 > >well as Netscape, Eudora supports it as well, afaik, on linux, there's
 > >an easy
 > >way how to setup a wrapper so every application can access it in
 > >ordinary way :_)
 > >
 > >   Jakub
 > >
 > >--

 Don't know, but now I doublechecked at eudora's website and they say
 they have no support for SSL... I believe, that there can me some sort
 of wrapper made as well, don't know any :-|
 I just knew somebody, who had been using it, but don't know how he had
 managed to get it to work...


******************
Thread 2: sslwrap

--
Jamie Beverly <jamie www how-toresource com> wrote:

 sslwrap has some nice packages that encrypt POP, SMTP, and IMAP, there was
 a post to this group a few months ago that had full instructions to set it
 up and get it running, if you need a hand, drop me a line.


--
Ed Padin <epadin wagweb com> wrote:

 You can use SSL for IMAP as well as POP mail access. There's two nice SSL
 wrappers I know of for linux machines. sslwrap and stunnel. They act as a
 front end to any imap, pop or html server so that you can use the SSL
 protocol for the service. The popular IMAP clients usually support IMAP over
 SSL. This gives you a fully encrypted link where passwords and content
 cannot be sniffed.


--
Stephen Peters <portnoy portnoy org>
I think IMAP gives you the same problems.
[ie. cleartext passwords] 

 One thing you might consider is installing SSLeay and sslwrap.  This
 allows you to wrap POP, IMAP (or other protocols) under SSL, so that
 the communication is encrypted.  Many common mail clients (even
 Netscape, MSIE, and Outlook) support the SSL connections natively.
 I've gotten this working once -- using Netscape or Outlook to access
 my home IMAP server over SSL.

More information can be found in www.openssl.org, if I remember right.

A note to the readers, I believe that SSLeay IS open_ssl.

--
Florian Helbing <flo rommel stw uni-erlangen de>

 You can use SSL-Encrypted IMAP. Netscape can connect to SSL IMAP.
 Unforunately I don't know of any other MUA who can.
 On the server you just need to use the ssl-wrapper which encrypts the data
 the imap-server send or receives. We use it here at the network I am working
 at and it performs quite nicely.

-- 
 "Michael H. Warfield" <mhw wittsend com> wrote:
        My suggestion would be to go with SSL encrypted imap (imaps).
 It's a well known service allocated to port 993 by IANA and can be set
 up with an ssl wrapper like edssl, ssl-proxy, stunnel, or sslwrapper on
 your server.  Fetchmail now has SSL patches included in the source, you
 just have to obtained OpenSSL <www.openssl.org> for the SSL libraries
 themselves.  Even Exchange, Outlook, and Netscape support SSL encryption
 on either or both POP and IMAP.


--
Tomas Revesz <tomi neogenesis com> wrote:


 i'm not sure that standard imap has anything built in security-wise but
 i'm quite happily running ssl wrapped imap on two of my redhat boxes and
 it wasn't a tremendous pain to set it up.  it gives you encrypted login
 and viewing of your mail.  i've tried netscape, outlook express, and
 outlook 97/2000 as clients and they all seem to work great.  you
 basically need 3 pieces.

 an imap server (i use the uwash server that came with redhat)
 openssl 0.9.4 http://www.openssl.org or you can find an rpm for it at
 www.rpmfind.net pretty easily
 and sslwrap which i got from http://www.rickk.com/sslwrap/

 i used this page as a reference and even though there are some
 differences in the software, it gives you the basic idea of how to set
 this up.  http://www.dtcc.edu/cs/admin/notes/ssl/

 if you want more detailed info, let me know and maybe i'll finally
 motivate myself to write up a how-to on my full setup.

I am sure that the readers of this email list and anyone else would be tickled with a HOWTO.

--
"Kurt Seifried" <listuser seifried org> wrote:


 Blair Lowe wrote:
 > Yes this works for all the normal OS's such as Linux and Windows,
 > but  don't you need winstun or something for a windows
 > implementation
 > (which does not exist for apple clients).

 Most email clients have built in support for SSL (outlook, netscape
 do). Simply goto security settings, secure imap.


--
"Bruce Elrick" <bruce elrick saltus ab ca> wrote:

 You could try using IMAP over SSL.  Both Netscape and MS Outlook support
 this.  I've installed sslwrap, which negotiates the SSL layer and forwards
 the connection to the loopback.

 e.g.
 have port 993 (imaps) open with sslwrap opened through inetd:
 /etc/inetd.conf:
 imaps    stream  tcp     nowait  ssl    /usr/sbin/tcpd
 /usr/sbin/sslwrap -cert /var/lib/ssl/certs/server.pem -port 143

 which accomplishes
 client using imaps (imap over ssl) --> internet -->
 --> your server public IP port 993 -->
 --> sslwrap (started by inetd) -->
 --> your server loopback IP port 143 --> imapd (started by inetd)

 You can have your firewall block 143 (except on loopback if your imaps
 server is your firewall) and let through 993 to your public IP address.

Excellent!

--
Shawn Robinson <srobins1 tps tci telus com> wrote:

 You can use  SSL (authenticated & encrypted) with SMTP, POP, and IMAP
 protocols.  As for IMAP and POP, you may want to tunnel them to your
 existing servers with 'stunnel'.
 http://www.stanton.dtcc.edu/stanton/cs/admin/notes/ssl/


--
"Eugene Kanter" <eugene blackcatlinux com> wrote:

 Use ssl proxy. Netscape communicator works just fine. I guess
 openssl.org?



*****************
Thread 3: stunnel

"Iain Wade" <iwade optusnet com au> wrote: 
 All major clients (Outlook, Outlook Express, Netscape Messenger)
 support IMAP over an SSL tunnel.

 You can achieve this using the SSLeay and stunnel packages very
 easily.

 I cannot recall where I found a nice little FAQ which described the
 process, but I'm sure a few altavista searches will get you there.

This is what I use and it seems ok so far. 

--
"Kurt Seifried" <listuser seifried org> also wrote:

 ... SSL wrapping imap is easy, I cover
 it at http://www.securityportal.com/lasg/ in the mail server section,
 oops, I lied, I forgot to fold those changes in. Ok well go get
 OpenSSL, compile/install it, install a server cert, then get stunnel
 (ftp.zedz.net, in the replay directory, redhat, i386), install that
 and ssl wrap imap:

 simap   stream  tcp     nowait  root    /usr/sbin/stunnel imapd -l
 imapd

Right on. Now I know more about stunnel.

--
Shawn Tagseth <stagseth bbm ca> wrote:


 If your clients that connect to the IMAP server are using netscape or
 Outlook( Express), both of them support IMAPS.  You can set up an
 ssl-imap wrapper so that everything over the Internet travels IMAP-SSL,
 hits your linux box, gets de-crypted and then redirected to IMAP on
 localhost.  I've only tested it and not rolled it out.  The best part
 about it is that you don't have to replace your IMAP daemon.

 You'll need openSSL http://www.openssl.org
 and a wrapper (I've used sslwrap, but I've heard good things about
 stunnel as well)
 http://www.openssl.org/related/apps.html

 If you need to send messages you can set up the wrapper to handle SMTPS
 as well.  Although if ALL your mail is going back out to the internet
 the overhead is wasted.


--
Petr Sulla <xsulla informatics muni cz> wrote:

 You could use sslwrap or stunnel over a SSL connection, it works very nice
 for me with both POP and IMAP.
 Just search for sslwrap and stunnel at www.freshmeat.net.
...
I just came across a much better source:

http://security.fi.infn.it/tools/stunnel/index-en.html

I found stunnel hard to get, but eventually got it.

*****************
Thread 4: Outlook Express

--
alex cathy uuworld com wrote:
JP Vossen <vossenjp netaxs com> wrote:
> On Wed, 8 Dec 1999, Blair Lowe wrote:
>
> > Ideally we would like a secure (e-mail) system that is accessible from any
> > laptop anywhere on the net.
>
> How about OWA using SSL (Outlook Web Access for Exchange 5.x (OWA is free from
> MS)) using SSL on IIS? If you use Exchange, this is great, because you can
> get your mail from any place that has an SSL browser, WITHOUT having to have
> any other software (e.g. VPN software, IMAP client, etc.) installed on the
> client machine. However, it is a bit tricky to install.

Off topic.

True that Outlook Web Access is probably not available for LINUX, someone may have a
LINUX laptop that connects to an NT server.

*****************
Thread 5: Zmailer

--
Shawn Robinson <srobins1 tps tci telus com> also wrote:

 For SMTP, I'd suggest a native implementation, but you could tunnel it
 also.  Zmailer (http://www.zmailer.org) is an SMTP server that recently
 introduced SSL SMTP that supports clients such as Netscape Communicator,
 and Outlook Express.


******************
Thread 6: IMP: a web based email server

--
"Peter H. Lemieux" <phl cyways com> wrote:

 How about IMP, a Web IMAP client written in PHP3, running on an Apache-SSL
 server?

 IMP:    http://www.horde.org/imp/
 PHP:    http://www.php.net

 You can read and send mail, attach files, manage folders, keep an
 addressbook, and use LDAP servers, all over the web.  Not only would the
 authentication session be encrypted by SSL, so would the contents of the
 messages viewed.
 If you're uncomfortable leaving the message store on a publicly accessible
 machine, you can put it behind your firewall and point IMP at it through
 some kind of tunnel.

 If you want to be able to use an IMAP client that runs on the laptop, there
 is a standard port assignment (993) for secure IMAP using SSL/TLS.  I know
 Netscape Communicator supports this, and I think MS Outlook does, too.  You
 might want to look at one man's experience trying to construct an
 UW-IMAP+SSL server at http://www.terry.dtcc.edu/stanton/cs/admin/notes/ssl/.


******************
Thread 7: IPSec

Dean Thompson <Dean Thompson csse monash edu au> wrote:
You may want to investigate the SSL protocol to ensure you have an encrypted
session when reading mail. Other than SSL, you may be able to to use a system
like IPSec to encrypt data on the network (although this requires a specific
gateway encrypting all the traffic). 

*****************
Thread 8: Kerberos AND gss

 "Michael H. Warfield" <mhw wittsend com> wrote:
 Blair Lowe wrote:
 > We are wondering if anyone knows the security features of IMAP.

Yeah, virtually none unless you add features like kerberos or gss.

Anyone know any links on these ones?


--
"Matthew B. Henniges" <matt axl net> wrote:
You could use pop over ssl.

There are several ssl proxies that can add ssl support to a non ssl server,

stunnel, bjorb, and sslproxy come to mind.

Some people report problems with outlook express's ssl support though... 

anyone know any links to bjorb?
Computer Engineering Inc.
http://www.compeng.net
Phone: 780 499 5687 (9 - 5 MST)
Fax:   780 435 0693 (24 Hours)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]