This is a discussion on Re: [fw-wiz] i-cap proposals - Firewalls ; nuqneH, On Tue, Feb 15, 2005 at 02:08:59AM -0500, Carson Gaspar wrote: > --On Sunday, February 13, 2005 12:10 PM +0300 ArkanoiD > wrote: > > > Yes, IMAP is a content inspection nightmare - it was really insane to ...
On Tue, Feb 15, 2005 at 02:08:59AM -0500, Carson Gaspar wrote:
> --On Sunday, February 13, 2005 12:10 PM +0300 ArkanoiD
> > Yes, IMAP is a content inspection nightmare - it was really insane to
> > deisgn it the way each one of zillion ways to get an email sliced to
> > little pieces and sucked down is mandatory to be implemented on server
> > and, thus, on the proxy!
> No, it makes perfect sense. And it's why IMAP4 is the only mail client
> protocol that behaves well on low bandwidth links (and can be safely taken
> offline and re-sync'd). POP3 is the insane mail protocol. But I admit that
> proxying and scanning the content is much easier with stupid protocols.
1) Low-bandwidth links are close to extinct these days and never do
exist in organizations that require content scanning firewalls.
2) It is not isnane that protocol allows such thing to be implemented.
It is insane that it is _mandatory_ to implement it.
3) Most imap cleints use pop3-like subset: "get headers" and "get whole email".
They do not take real advantage of the protocol anyways.
> You really should be doing scanning on the server. If you don't control the
> server, why are you allowing people to access it?
Because people need access to their personal mailboxes out in the internet
from the workplace, and environtments fascist enough to prohibit them
from doing it are not that common at all. So there should be a way to
minimize risks without being BOFH.
> If you insist on doing
> in-line scanning between the server and client, one option is to keep state
> on which messages have already been scanned during this session (pay
> attention to UIDVALIDITY). If any part (or any body part - see below) of a
> message which hasn't been scanned is fetched, do a full fetch in the proxy
> and scan it. If you trigger a scan on a header fetch, the user experience
> will suck, since most IMAP clients fetch from, date, and subject headers
> for a large subset of messages to display the mailbox summary.
Yep, that's the way it should be implemented. But here comes another problem:
application proxy should be _simple_. Now that's impossible.
My pop3 proxy is less that 1000 lines long, including comments, whitespace
and stuff. Even reasonable mime parser alone is bigger.
firewall-wizards mailing list