[NTLUG:Discuss] secure pop/imap/smtp access

[Jack Snodgrass]

On Sun, 30 Mar 2003 21:02:03 -0600, Jay Urish wrote:

>   Hey Gang,
> I have just encountered a problem that I need some direction with.
> 
> I give some people access to my box to host their domains. Up until a few 
> days ago everyone had a static ip address so I could protect my daemons 
> with iptables. Now all of a sudden everybody has gone dynamic.
> 
> I have done some preliminary research and I have some ideas BUT I am 
> looking for some real world experiences.
> 
> Here are some of the things I saw:
> 1. Maybe wrap pop3 with stunnel
> 2. vpn to the box?
> 
> 
> I guess my questions are:
> 1. What is the easiest solution?
> 
> At this moment I am thinking that I should implement a VPN firewall 
> appliance and go though that to a second ethernet card. It would definately 
> be the easiest solution.

What are you trying to do exactly?

Provid mail service only ( pop, imap, smtp, etc ) 
or do you want 'your people' to have secure access to everything
running on your box ( web, telnet, ssh, ftp, etc )
... seems like a VPN to allow mail access is overkill. 

Also.. are you worried about passwords being sent in the clear 
and email being viewied in the clear, or are you just trying 
to limit who can access these services? 

You could use a web mail interface ( lime squirrelmail (sp?)) and 
use https to handle all of your passwords and encryption. Squirrelmail
works fairly well. 

If need to limit who can send mail via your SMTP server and don't want
to run an open gateway, you can set up SMTPAUTH and require a userid/
password to send mail. 

Once you set up SMTPAuth, then your half way to setting up SSL wrappers
for pop and imap. 

I've got SMTPATUH, SSL wrappers, etc all set up with Postfix (smtp ) 
and Cyrus ( Imap and pop ) and squirrelmail and https set up on my 
testbox. It can be done... just takes a bit of work. 

The easist/quickest way to go is https and a web based mail interface.

jack