Re: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)

Martin DiViaio on Fri, 2 May 2003 20:26:08 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)

From: Martin DiViaio <scatterbrained@usermail.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)

Date: Fri, 2 May 2003 20:24:58 -0400 (EDT)

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

The fact that UW-IMAPd dumped the file to me is not my problem. The fact that the file dump was the CORRECT RESPONSE according to the IMAP specifications is the problem. If Cyrus or Courier do the same thing is really a moot point. Part of the problem is that IMAP is as much a file protocol as it is a mail protocol. This tends to get forgotten when dealing with IMAP. I know that there are things that can be done to limit an IMAP server's access to certain files. Everything from hacking the source code to force a service into the mail spool directory, (possible) configuration changes to chroot environments. The fact that these changes are (mostly) required points to problems at the protocol level. A couple of other "features" of IMAP: - Support for binary files - Ability to UPLOAD files to the server - Ability to run programs on the server Reality Check: Most of these "features" are not implimented in most of the IMAP programs currently available (except for maybe UW-IMAPd). I know this. That doesn't make IMAP any less dangerous. By the way, I'm not the only one making these kinds of noises about IMAP. Google isn't being very helpful for me at the moment so I can't give you a link. I do remember that a white-paper on the subject I read about a year ago started me looking very closely at an IMAP server I was in charge of at the time. -- GPG Fingerprint: C900 18EF 0C36 4EAF A93C F073 85D4 8B3C F3D8 077B On the 2nd day of May in the year 2003 you wrote: > Date: Fri, 2 May 2003 10:09:57 -0400 (EDT) > From: Michael Leone <turgon@mike-leone.com> > To: plug@lists.phillylinux.org > X-Spam-Status: No, hits=-1.6 required=5.0 > tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, > SIGNATURE_LONG_SPARSE,SPAM_PHRASE_00_01 > version=2.44 > Subject: [PLUG] Re: IMAP insecurity (WAS: pop3 server?) > > > Martin DiViaio said: > > > > I once managed to convince an UW-IMAP server to dump the system password > > Have you tried that with one of the better IMAP servers, such as Courier > or Cyrus? > > (I say "better", because the mailing lists I'm on have never thought all > that highly of UW-IMAP, either for speed, security or capabilities, except > perhaps for small home use) _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

References:

[PLUG] Re: IMAP insecurity (WAS: pop3 server?)
From: "Michael Leone" <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] Help with Lawsuit

Next by Date: [PLUG] Multiple Channels?

Previous by thread: [PLUG] Re: IMAP insecurity (WAS: pop3 server?)

Next by thread: Re: [PLUG] pop3 server?

Index(es):

Date

Thread