Martin DiViaio on Fri, 2 May 2003 20:26:08 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)



The fact that UW-IMAPd dumped the file to me is not my problem. The fact
that the file dump was the CORRECT RESPONSE according to the IMAP
specifications is the problem. If Cyrus or Courier do the same thing is
really a moot point. Part of the problem is that IMAP is as much a file
protocol as it is a mail protocol. This tends to get forgotten when 
dealing with IMAP.

I know that there are things that can be done to limit an IMAP server's 
access to certain files. Everything from hacking the source code to force 
a service into the mail spool directory, (possible) configuration changes 
to chroot environments. The fact that these changes are (mostly) required 
points to problems at the protocol level.

A couple of other "features" of IMAP:

- Support for binary files

- Ability to UPLOAD files to the server

- Ability to run programs on the server

Reality Check: Most of these "features" are not implimented in most of
the IMAP programs currently available (except for maybe UW-IMAPd). I know
this. That doesn't make IMAP any less dangerous.

By the way, I'm not the only one making these kinds of noises about IMAP. 
Google isn't being very helpful for me at the moment so I can't give you a 
link. I do remember that a white-paper on the subject I read about a year 
ago started me looking very closely at an IMAP server I was in charge of 
at the time.


--
GPG Fingerprint: C900 18EF 0C36 4EAF A93C  F073 85D4 8B3C F3D8 077B


On the 2nd day of May in the year 2003 you wrote:

> Date: Fri, 2 May 2003 10:09:57 -0400 (EDT)
> From: Michael Leone <turgon@mike-leone.com>
> To: plug@lists.phillylinux.org
> X-Spam-Status: No, hits=-1.6 required=5.0
> 	tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,
> 	      SIGNATURE_LONG_SPARSE,SPAM_PHRASE_00_01
> 	version=2.44
> Subject: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)
> 
> 
> Martin DiViaio said:
> >
> > I once managed to convince an UW-IMAP server to dump the system password
> 
> Have you tried that with one of the better IMAP servers, such as Courier
> or Cyrus?
> 
> (I say "better", because the mailing lists I'm on have never thought all
> that highly of UW-IMAP, either for speed, security or capabilities, except
> perhaps for small home use)

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug