D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Mail server setup review

 

On Tuesday 19 April 2005 17:25, Martin White wrote:
Sorry for the burst of posts from me today, trying to do a little catchup
and refocusing :)

A few weeks back i was asking about the whole scenario of getting my
server to go and retreive my mail and then serve it up to me locally via
imap.


I just want to know if i should be concerned about security at all.
Currently, i have hardware nat on my router (well, software nat i guess -
whatever it is it's on my router, which is also NOT my adsl gateway, it's
on a different ip network to that).

On the router that handles my internal network i have only opened up a
port for squirrelmail, and that port is not 80, it's a port that i chose
randomly so it wouldn't be quite so easy for someone to find.

But very easy for software to find when scanning

IMHO: Security by obscurity is no security at all. But it stops casual lamers 
i suppose.

I've got your ip address, if you like i can nmap you and tell you what port 
your squirrel is on :-)


I've not yet implemented SSL on the squirrelmail login / connection since
i got as far as i could with the time i had before having to work away.

Is there anything i ought to review about this setup?

Should i really be concerned about the lack of SSL to the web port?


I would put ssl on squirrel, i have done it in the past. You never know where 
you might want to check your mail from, its too easy to sniff username and 
passwords on untrusted networks.

I've always been parinoid and added an extra http login before the squirrel 
pages comes up. I'm not sure how much extra security this adds but it makes 
it more of a pain for anybody to break as there are now two sets of usernames 
and passwords to guess (if you keep them different). 

Thanks for any comments as always.

Martin.


-- 
Robin Cornelius
---------------------------------------------------
robin@xxxxxxxxxxxxxxxxxxxxx
http://www.cornelius.demon.co.uk
http://sourceforge.net/projects/rt2400
GPG Key ID: 0x729A79A23B7EE764
http://www.biglumber.com/x/web?qs=0x729A79A23B7EE764

Attachment: pgp00019.pgp
Description: PGP signature