Setting up IMAP on Linux? - Security

This is a discussion on Setting up IMAP on Linux? - Security ; One of the things that have always puzzled me is that Linux comes with everything plus the kitchen sink, and yet it doesn't include an IMAP server. It used to come with one that sucked. Anyway, every time I get ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 31

Thread: Setting up IMAP on Linux?

  1. Setting up IMAP on Linux?

    One of the things that have always puzzled me is that Linux comes with
    everything plus the kitchen sink, and yet it doesn't include an IMAP
    server. It used to come with one that sucked.

    Anyway, every time I get a new Linux box, I go to the University of
    Washington and get their IMAP server. It seems to be the most decent
    out there. (do we agree so far?)

    // begin criticism
    (1) How come the folks at UofWash have no clue about ./configure and
    autoconf? This kind of software gives Linux a bad name and plenty of
    ammunition to Wintards.
    (2) Their source code is filled with insecure calls, vulnerabilites to
    buffer overflow attacks, such as 'gets' and 'tmpnam.' How hard can it
    be to fix this?
    // end criticism

    Anyway, my concern is this:

    + Building in full compliance with RFC 3501 security
    + requirements:
    ++ TLS/SSL encryption is supported
    ++ Unencrypted plaintext passwords are prohibited

    The documentation says that I have to get OpenSSL. My box is a RHEL4,
    I use ssh all the time, so I don't need any extra software for the SSL
    encyption. Is this correct?

    TIA,

    -Ramon


  2. Re: Setting up IMAP on Linux?

    On 2007-05-29, Ramon F Herrera wrote:

    > One of the things that have always puzzled me is that Linux comes with
    > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > server. It used to come with one that sucked.


    You need to pick a better distro. All of the distros I know of
    have several IMAP servers from which to choose. Gentoo has
    Cyrus, Courier, and UW. Many distros have more choices (e..g
    dovecot).

    Personally, I think you're probably just trolling.

    --
    Grant Edwards grante Yow! Everybody is going
    at somewhere!! It's probably
    visi.com a garage sale or a disaster
    Movie!!

  3. Re: Setting up IMAP on Linux?

    Ramon F Herrera wrote:

    > One of the things that have always puzzled me is that Linux comes with
    > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > server. It used to come with one that sucked.


    Eh?

    > Anyway, every time I get a new Linux box, I go to the University of
    > Washington and get their IMAP server. It seems to be the most decent
    > out there. (do we agree so far?)


    No, I don't agree. It's a reference implementation (AFAICT) that is OK in
    practise, but can be bettered depending on needs.

    > // begin criticism
    > (1) How come the folks at UofWash have no clue about ./configure and
    > autoconf? This kind of software gives Linux a bad name and plenty of
    > ammunition to Wintards.


    See above.

    > (2) Their source code is filled with insecure calls, vulnerabilites to
    > buffer overflow attacks, such as 'gets' and 'tmpnam.' How hard can it
    > be to fix this?
    > // end criticism


    I guess Mark Crispin would be happy to take patches. Writing a patch shows
    willing. Mark works for a University (obviously) as I used to and much of
    this *may* be done as a side project - in as much as he probably gets lots
    of day to day work to do too, so his time may be limited. I don't know, but
    I'm offering a defence as to why it may not be all that you hoped. At least
    he wrote one, released it and it does work and for that he should be
    recognised.

    > Anyway, my concern is this:
    >
    > + Building in full compliance with RFC 3501 security
    > + requirements:
    > ++ TLS/SSL encryption is supported
    > ++ Unencrypted plaintext passwords are prohibited
    >
    > The documentation says that I have to get OpenSSL. My box is a RHEL4,
    > I use ssh all the time, so I don't need any extra software for the SSL
    > encyption. Is this correct?


    You should have no trouble building WU-IMAP on RH-anything.

    Anyway, there are several other IMAP servers, the one that would probably
    most interest you is Dovecot: www.dovecot.org

    It can be dropped in place of WU-IMAP and offers many more features and
    active development. It's trivial (ish) to set up.

    Cheers

    Tim


  4. Re: Setting up IMAP on Linux?

    On May 29, 2:06 pm, Grant Edwards wrote:
    > On 2007-05-29, Ramon F Herrera wrote:
    >
    > > One of the things that have always puzzled me is that Linux comes with
    > > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > > server. It used to come with one that sucked.

    >
    > You need to pick a better distro. All of the distros I know of
    > have several IMAP servers from which to choose. Gentoo has
    > Cyrus, Courier, and UW. Many distros have more choices (e..g
    > dovecot).
    >


    > Personally, I think you're probably just trolling.


    Nope, no trolling here...

    I *have* to use one of the enterprise versions, per Oracle mandate,
    and I hate the SuSe traitors (I wiped out their distro the day they
    announced they are a M$ slave now), so my only choice is RHEL. That
    is a given.

    I should have said: "How come RH Linux doesn't come with IMAP?". Hope
    you're happy now.

    Peace,

    -Ramon



  5. Re: Setting up IMAP on Linux?

    On May 29, 2:12 pm, Tim S wrote:

    > At least he wrote one, released it and it does
    > work and for that he should be recognised.


    Furthermore, he invented and created IMAP. That kind of thing can
    never be stressed enough. Let's make sure that all the readers know
    this.

    -Ramon



  6. Re: Setting up IMAP on Linux?

    In comp.os.linux.misc Grant Edwards wrote:
    > On 2007-05-29, Ramon F Herrera wrote:


    >> One of the things that have always puzzled me is that Linux comes with
    >> everything plus the kitchen sink, and yet it doesn't include an IMAP
    >> server. It used to come with one that sucked.


    > You need to pick a better distro. All of the distros I know of


    Not at all.

    > have several IMAP servers from which to choose. Gentoo has
    > Cyrus, Courier, and UW. Many distros have more choices (e..g
    > dovecot).


    > Personally, I think you're probably just trolling.


    Bingo, at least dovecot and cyrus come with RHEL 4. For more
    alternatives just grab the excellent rpms from Dag Wieers.

    --
    Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
    mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
    #bofh excuse 100: IRQ dropout

  7. Re: Setting up IMAP on Linux?

    Ramon F Herrera wrote:
    > On May 29, 2:06 pm, Grant Edwards wrote:
    >> On 2007-05-29, Ramon F Herrera wrote:
    >>
    >>> One of the things that have always puzzled me is that Linux comes with
    >>> everything plus the kitchen sink, and yet it doesn't include an IMAP
    >>> server. It used to come with one that sucked.

    >> You need to pick a better distro. All of the distros I know of
    >> have several IMAP servers from which to choose. Gentoo has
    >> Cyrus, Courier, and UW. Many distros have more choices (e..g
    >> dovecot).
    >>

    >
    > > Personally, I think you're probably just trolling.

    >
    > Nope, no trolling here...
    >
    > I *have* to use one of the enterprise versions, per Oracle mandate,
    > and I hate the SuSe traitors (I wiped out their distro the day they
    > announced they are a M$ slave now), so my only choice is RHEL. That
    > is a given.
    >
    > I should have said: "How come RH Linux doesn't come with IMAP?". Hope
    > you're happy now.
    >
    > Peace,
    >
    > -Ramon


    I've moved away from RH, but ES3 came with imap-2002d-9.i386.rpm which
    installed the UW POP and IMAP daemons. Are you installing the desktop
    or the server version of RH?

  8. Re: Setting up IMAP on Linux?

    Ramon F Herrera wrote:
    > One of the things that have always puzzled me is that Linux comes with
    > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > server. It used to come with one that sucked.


    That really surprises me. You've mentioned RHEL4. CentOS and Whitebox
    Linux (both free RHEL clones) offer cyrus-imapd pacakges (on CD #3 in
    both cases). I'd be quite surprised if it isn't included with RHEL too.

    [snip]
    > The documentation says that I have to get OpenSSL. My box is a RHEL4,
    > I use ssh all the time, so I don't need any extra software for the SSL
    > encyption. Is this correct?


    That's probably not correct. You've got the OpenSSH client program and
    run-time libraries. But to compile something that uses OpenSSL you'll
    need the -dev or -devel packages too. On Debian, that would be the
    libssl-dev package. There should be a similarly named -devel package in
    RHEL.

  9. Re: Setting up IMAP on Linux?

    On 2007-05-29, Michael Heiming wrote:
    > In comp.os.linux.misc Grant Edwards wrote:
    >> On 2007-05-29, Ramon F Herrera wrote:

    >
    >>> One of the things that have always puzzled me is that Linux comes with
    >>> everything plus the kitchen sink, and yet it doesn't include an IMAP
    >>> server. It used to come with one that sucked.

    >
    >> You need to pick a better distro. All of the distros I know of

    >
    > Not at all.


    I was giving the OP the benefit of the doubt in assuming he was
    telling the truth about what was included in his distro.
    Apparently I shouldn't have.

    >> have several IMAP servers from which to choose. Gentoo has
    >> Cyrus, Courier, and UW. Many distros have more choices (e..g
    >> dovecot).

    >
    >> Personally, I think you're probably just trolling.

    >
    > Bingo, at least dovecot and cyrus come with RHEL 4. For more
    > alternatives just grab the excellent rpms from Dag Wieers.


    Dovecot always seems to be mentioned in a positive light when I
    hear about it, so I'm thinking about giving it a try. I'm
    currently using courier-imap, but I find its maildir directory
    naming scheme really annoying.

    --
    Grant Edwards grante Yow! Gibble, Gobble, we
    at ACCEPT YOU ...
    visi.com

  10. Re: Setting up IMAP on Linux?

    Zawartość nagłówka ["Followup-To:" comp.os.linux.security.]
    On 29.05.2007, Ramon F Herrera wrote:
    > One of the things that have always puzzled me is that Linux comes with
    > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > server. It used to come with one that sucked.
    >
    > Anyway, every time I get a new Linux box, I go to the University of
    > Washington and get their IMAP server. It seems to be the most decent
    > out there. (do we agree so far?)


    I wouldn't agree. How about Courier-IMAP, Dovecot or Cyrus IMAP? Are
    there worse than UW IMAP server?

    > // begin criticism
    > (1) How come the folks at UofWash have no clue about ./configure and
    > autoconf? This kind of software gives Linux a bad name and plenty of
    > ammunition to Wintards.


    Maybe they don't like autotools? What kind of accusations do you have
    against their current build system? And why won't you use binary
    packages, as any good admin would do?

    > (2) Their source code is filled with insecure calls, vulnerabilites to
    > buffer overflow attacks, such as 'gets' and 'tmpnam.' How hard can it
    > be to fix this?


    I don't know, but their software (wu-ftpd) used to have some bugs.

    --
    Secunia non olet.
    Stanislaw Klekot

  11. Re: Setting up IMAP on Linux?

    Zawartość nagłówka ["Followup-To:" comp.os.linux.security.]
    On 29.05.2007, John-Paul Stewart wrote:
    > Ramon F Herrera wrote:
    >> One of the things that have always puzzled me is that Linux comes with
    >> everything plus the kitchen sink, and yet it doesn't include an IMAP
    >> server. It used to come with one that sucked.

    >
    > That really surprises me. You've mentioned RHEL4. CentOS and Whitebox
    > Linux (both free RHEL clones) offer cyrus-imapd pacakges (on CD #3 in
    > both cases). I'd be quite surprised if it isn't included with RHEL too.


    Cyrus IMAP is *not* an UW IMAP server. Cyrus IMAP isn't even hosted on
    University of Washington.

    --
    Secunia non olet.
    Stanislaw Klekot

  12. Re: Setting up IMAP on Linux?

    On May 29, 2:56 pm, Douglas O'Neal wrote:
    > Ramon F Herrera wrote:
    > > On May 29, 2:06 pm, Grant Edwards wrote:
    > >> On 2007-05-29, Ramon F Herrera wrote:

    >
    > >>> One of the things that have always puzzled me is that Linux comes with
    > >>> everything plus the kitchen sink, and yet it doesn't include an IMAP
    > >>> server. It used to come with one that sucked.
    > >> You need to pick a better distro. All of the distros I know of
    > >> have several IMAP servers from which to choose. Gentoo has
    > >> Cyrus, Courier, and UW. Many distros have more choices (e..g
    > >> dovecot).

    >
    > > > Personally, I think you're probably just trolling.

    >
    > > Nope, no trolling here...

    >
    > > I *have* to use one of the enterprise versions, per Oracle mandate,
    > > and I hate the SuSe traitors (I wiped out their distro the day they
    > > announced they are a M$ slave now), so my only choice is RHEL. That
    > > is a given.

    >
    > > I should have said: "How come RH Linux doesn't come with IMAP?". Hope
    > > you're happy now.

    >
    > > Peace,

    >
    > > -Ramon

    >
    > I've moved away from RH, but ES3 came with imap-2002d-9.i386.rpm which
    > installed the UW POP and IMAP daemons. Are you installing the desktop
    > or the server version of RH?


    Server. I don't work with desktops at all.

    -Ramon



  13. Re: Setting up IMAP on Linux?

    On May 29, 3:01 pm, "Stachu 'Dozzie' K."
    wrote:
    > Zawartość nagłówka ["Followup-To:" comp.os.linux.security.]
    > On 29.05.2007, Ramon F Herrera wrote:
    >
    > > One of the things that have always puzzled me is that Linux comes with
    > > everything plus the kitchen sink, and yet it doesn't include an IMAP
    > > server. It used to come with one that sucked.

    >
    > > Anyway, every time I get a new Linux box, I go to the University of
    > > Washington and get their IMAP server. It seems to be the most decent
    > > out there. (do we agree so far?)

    >
    > I wouldn't agree. How about Courier-IMAP, Dovecot or Cyrus IMAP? Are
    > there worse than UW IMAP server?
    >
    > > // begin criticism
    > > (1) How come the folks at UofWash have no clue about ./configure and
    > > autoconf? This kind of software gives Linux a bad name and plenty of
    > > ammunition to Wintards.

    >
    > Maybe they don't like autotools? What kind of accusations do you have
    > against their current build system? And why won't you use binary
    > packages, as any good admin would do?
    >
    > > (2) Their source code is filled with insecure calls, vulnerabilites to
    > > buffer overflow attacks, such as 'gets' and 'tmpnam.' How hard can it
    > > be to fix this?

    >


    > I don't know, but their software (wu-ftpd) used to have some bugs.



    Different universities. I should know, because one of them is my alma
    mater. The University of Washington (IMAP) is public, located in
    Washington state. The ftp software is based at Washington University
    in St. Louis, Missouri. It is a private school. (ENG '86)

    There are about 17 universities and colleges in the US with the word
    "Washington" in their name.

    http://www.washington.edu (imap)
    http://www.wustl.edu (wu-ftpd)

    -Ramon



  14. Re: Setting up IMAP on Linux?

    On May 29, 2:56 pm, Douglas O'Neal wrote:
    > Ramon F Herrera wrote:
    > > On May 29, 2:06 pm, Grant Edwards wrote:
    > >> On 2007-05-29, Ramon F Herrera wrote:

    >
    > >>> One of the things that have always puzzled me is that Linux comes with
    > >>> everything plus the kitchen sink, and yet it doesn't include an IMAP
    > >>> server. It used to come with one that sucked.
    > >> You need to pick a better distro. All of the distros I know of
    > >> have several IMAP servers from which to choose. Gentoo has
    > >> Cyrus, Courier, and UW. Many distros have more choices (e..g
    > >> dovecot).

    >
    > > > Personally, I think you're probably just trolling.

    >
    > > Nope, no trolling here...

    >
    > > I *have* to use one of the enterprise versions, per Oracle mandate,
    > > and I hate the SuSe traitors (I wiped out their distro the day they
    > > announced they are a M$ slave now), so my only choice is RHEL. That
    > > is a given.

    >
    > > I should have said: "How come RH Linux doesn't come with IMAP?". Hope
    > > you're happy now.

    >
    > > Peace,

    >
    > > -Ramon

    >
    > I've moved away from RH, but ES3 came with
    > imap-2002d-9.i386.rpm which
    > installed the UW POP and IMAP daemons.


    This is what I have in RHEL4:

    % grep imap cdrom-?
    cdrom-4:./RedHat/RPMS/cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm
    cdrom-4:./RedHat/RPMS/cyrus-imapd-devel-2.2.12-3.RHEL4.1.i386.rpm
    cdrom-4:./RedHat/RPMS/cyrus-imapd-murder-2.2.12-3.RHEL4.1.i386.rpm
    cdrom-4:./RedHat/RPMS/cyrus-imapd-nntp-2.2.12-3.RHEL4.1.i386.rpm
    cdrom-4:./RedHat/RPMS/cyrus-imapd-utils-2.2.12-3.RHEL4.1.i386.rpm
    cdrom-5:./RedHat/RPMS/php-imap-4.3.9-3.15.i386.rpm

    Anyway, I just downloaded dovecot (thanks Stachu & Tim S.!). I am
    quite impressed.

    http://www.dovecot.org

    -Ramon



  15. Re: Setting up IMAP on Linux?

    On 29.05.2007, Ramon F Herrera wrote:
    > > I don't know, but their software (wu-ftpd) used to have some bugs.

    >
    >
    > Different universities. I should know, because one of them is my alma
    > mater. The University of Washington (IMAP) is public, located in
    > Washington state. The ftp software is based at Washington University
    > in St. Louis, Missouri. It is a private school. (ENG '86)
    >
    > There are about 17 universities and colleges in the US with the word
    > "Washington" in their name.


    Oh, I didn't know that. Sorry for confusing them. I should have check
    the names more thoroughly.

    --
    Secunia non olet.
    Stanislaw Klekot

  16. Re: Setting up IMAP on Linux?

    On May 29, 3:01 pm, "Stachu 'Dozzie' K." >
    > Maybe they don't like autotools?
    > What kind of accusations do you have
    > against their current build system?


    In my experience everybody in the *ux universe loves autotools, but
    they simply don't have the time/expertise to add it. I have donated it
    to several OSS projects (the most important and complex being the
    Asterisk software PBX). Every single OSS developer that I have
    approached with the question: "How would you like to have autoconf?"
    has answered (very) positively.

    > And why won't you use binary
    > packages, as any good admin would do?


    Binary packages? Are you kidding me? What do you think I am, a
    Windowdope sysadmin? :-) I used to work in the same building as
    Richard Stallman, fer crying out loud.

    -Ramon



  17. Re: Setting up IMAP on Linux?

    On 29.05.2007, Ramon F Herrera wrote:
    > On May 29, 3:01 pm, "Stachu 'Dozzie' K." >
    >> Maybe they don't like autotools?
    >> What kind of accusations do you have
    >> against their current build system?

    >
    > In my experience everybody in the *ux universe loves autotools,


    Like Boost people? Like people using SCons? Like Postfix and Exim guys?

    >> And why won't you use binary
    >> packages, as any good admin would do?

    >
    > Binary packages? Are you kidding me? What do you think I am, a
    > Windowdope sysadmin? :-) I used to work in the same building as
    > Richard Stallman, fer crying out loud.


    Don't you use package management system? You're installing software in
    `./configure && make mess' way? Binary packages were thought out for
    ease of installing most of the software.

    --
    Secunia non olet.
    Stanislaw Klekot

  18. Re: Setting up IMAP on Linux?

    Ramon F Herrera writes:

    > On May 29, 2:56 pm, Douglas O'Neal wrote:
    >> Ramon F Herrera wrote:
    >>
    >> > I should have said: "How come RH Linux doesn't come with IMAP?". Hope
    >> > you're happy now.

    >>

    > This is what I have in RHEL4:
    >
    > % grep imap cdrom-?
    > cdrom-4:./RedHat/RPMS/cyrus-imapd-2.2.12-3.RHEL4.1.i386.rpm


    So, it does come with an IMAP server, after all. Next time, wait a bit more
    before ranting.


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBGXKyYx9p3GYHlUOIRAuFsAJ9yM03anTXBOt2Carn0Et Z7uWKBZACfWdft
    EOWZP3zgjZsxM6eqKrBrp3c=
    =Umet
    -----END PGP SIGNATURE-----


  19. Re: Setting up IMAP on Linux?

    Ramon F Herrera writes:

    > (2) Their source code is filled with insecure calls,


    No, it's not.

    > vulnerabilites to
    > buffer overflow attacks, such as 'gets' and 'tmpnam.'


    Here's a free clue for you, Einstein: not every call to gets() or tmpnam()
    is automatically insecure. Did you actually look at the code, and see what
    it does?

    > How hard can it
    > be to fix this?


    How hard it would be for you to know what you're talking about?


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.7 (GNU/Linux)

    iD8DBQBGXK16x9p3GYHlUOIRArvlAJ98pfAPnmXhMQ95sSpJ5z XIuPUmGwCfS8hz
    7W8VFxStVMwrslbxNfv+XyI=
    =Wz7f
    -----END PGP SIGNATURE-----


  20. Re: Setting up IMAP on Linux?

    On May 29, 5:47 pm, Sam wrote:
    > Ramon F Herrera writes:
    > > (2) Their source code is filled with insecure calls,

    >
    > No, it's not.
    >
    > > vulnerabilites to
    > > buffer overflow attacks, such as 'gets' and 'tmpnam.'

    >
    > Here's a free clue for you, Einstein: not every call to gets() or tmpnam()
    > is automatically insecure. Did you actually look at the code, and see what
    > it does?
    >
    > > How hard can it
    > > be to fix this?

    >
    > How hard it would be for you to know what you're talking about?
    >
    > application_pgp-signature_part
    > 1KDownload



    You obviously don't believe in defensive programming.

    Given a choice, I will pick a software that doesn't produce such
    warnings when compiled and that has a standard, flexible and universal
    installation procedure in different platforms (*ix platforms, that
    is).


    Dovecot builds and installs beautifully under autoconfig and doesn't
    give me worrisome error messages which are either:

    (1) Indication of sloppy programming.
    (2) Presuming that the user should look at the code and understand
    why the use of dangerous deprecated functions is unavoidable (I highly
    doubt it) and for some mysterious reason justifiable.

    I always vote with my pocket and I just did it. Dovecot is my choice.

    -Ramon



+ Reply to Thread
Page 1 of 2 1 2 LastLast