james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <...@teamware.com>
Subject Re: [IMAP] Securing IMAP?
Date Thu, 27 Mar 2008 08:40:16 GMT
Robert Burrell Donkin wrote:

> IMAP is not a secure protocol. running securely means deviating from
> the specification. AIUI JAMES ships with standard configurations which
> are specification compliant.

Using STARTTLS, LOGINDISABLED and AUTHENTICATE with a non clear text SASL 
implementation is not deviating from the spec.

> seems foolish to allow an untrusted client to create a socket and then
> have the server retain the connection without logging in for at least
> 30 minutes before timing it out.

The 30 minute timer is 'autologout', so if the client has not authenticated, 
either with LOGIN or AUTHENICATE, then technically, the client is not logged in, 
therefore the 30 minute timer does not apply.

> seems foolish to allow an untrusted client unlimited chances to login
> over the same TLS session

That statement is actually against the spec!  Section 11.2 states

    A server SHOULD have mechanisms in place to limit or delay failed
    AUTHENTICATE/LOGIN attempts.

> may want to be able to increase the difficulty of dictionary attacks
> by blocking connections from IPs which fail to login too many times.
> similarly, may want to block too many simultaneous connections from
> untrusted clients from the same IP which haven't been logged in.

Our IMAP server allows IP address blacklists and sends an immediate BYE response 
to a connecting client from any one of those addresses.  This is also spec 
conformant - see 7.1.4 (4).

In general, IMAP, although an old protocol with a number of problems, is still 
widely used and actively developed.  Just take a look at the imapext and 
Lemonade working groups.  Lemonade in particular specifically targets IMAP for 
use with mobile devices.  Our IMAP server provides secure IMAP service for 
mobile devices.

Antony



---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message