IMAP servers

Matthew Seaman m.seaman at plasm.demon.co.uk
Sat Oct 14 15:48:48 BST 2000


On Fri, Oct 13, 2000 at 10:26:20AM +0100, Neil Ford wrote:
> Well I gave Cyrus a go but couldn't get a connection (from a pc running Outlook
> Express) so I tried imap-wu and it worked first time.

I've used UW imap. but never Cyrus.  UW imap generally works well, but
I have found from bitter experience that it doesn't mix with NFS
mounting home directories onto a mail server from a solaris machine.

> My main aim is to not have passwords transmitted in plaintext. The box is only
> going to be used by Natalie and myself so the loads not going to be too great.
> As we will have shell access I want to try and keep things as tight as
> possible.

Heh.  Install UW imap and you've got shell access to the imap server
anyhow.  There's a FreeBSD security advisory with the details.

> So advice on how to get either Cyrus or imap-wu to only accept secure
> connections is what I'm looking for.

Two possibilities:

i) UW imapd has a built in mechanism whereby you can create a link
from the installed imapd to /etc/rimapd.  If you then run /etc/rimapd
on the server via eg. ssh it gives you a pre-authenticated session.
This is probably only useful with pine, which defaults to using this
mechanism out of the box.

Look at the file /usr/ports/mail/imap-uw/work/imap-4.7c/docs which
says in part:

STEP 3: optional rimap setup

     If you want to enable the rimap capability, which allows users with a
suitable client and .rhosts file on the server to access IMAP services
without transmitting her password in the clear over the network, you need
to have /etc/rimapd as a link to the real copy of imapd.  Assuming you have
imapd installed on /usr/local/etc as above:
        % ln -s /usr/local/etc/imapd /etc/rimapd

     Technical note: rimap works by having the client routine tcp_aopen()
invoke `rsh _host_ exec /etc/rimapd' in an child process, and then returning
pipes to that process' standard I/O instead of a TCP socket.  You can set up
`e-mail only accounts' by making the shell be something which accepts only
that string and not ordinary UNIX shell commands.


ii) There is are a couple of SSL patch kits for UW imap --- as the FAQ says:

Q: Can I use SSL?
A: Unfortunately, due to US government export restrictions, the source code
    to our SSL IMAP patchkit is currently not available.  There are packages
    available from third parties to modify the IMAP toolkit to do SSL, or
    to tunnel IMAP and POP3 sessions through SSL.
   We are not happy about the restrictions (especially since our SSL IMAP
    patchkit is a very clean implementation), but our hands are tied.  The
    recent announcement about a relaxation of encryption restrictions does
    not apply to us, because we distribute free software in source form on
    a non-discriminatory basis.

but I've no idea where to get a legal copy of the patch kit, or even if that legal restriction still applies.

	Cheers,

	Matthew 

-- 
Dr Matthew J Seaman MA, D.Phil.                          26 The Paddocks
                                                         Savill Way
                                                         Marlow
Tel: +44 1628 476614                                     Bucks., SL7 1TH UK




More information about the Ukfreebsd mailing list