Re: IMAP- how to protect a server?

[jacob carlson <twitch () ifsec com>]

On Jun 01, Aaron D. Turner wrote:
> Currently our company uses POP3 for email (yuck) with a box in the DMZ
> proxying traffic to the internal mailserver through a FW-1 box.  
>
> Anyways, I'm trying to come up with the best way to deploy an IMAP/SSL
> server to replace POP3.
>
> The thing is that we consider are trying our best to secure the email
> from would-be unfriendlies, and I'd rather not have the mail folders
> sitting in the DMZ.  And of course, I don't want to punch a hole
> through the firewall and put the IMAP server on the internal network.
> NFS between a IMAP server in the DMZ and the mail folder server 
> in the Internal net isn't a good idea either.
>
> So what is the 'proper' way of doing this?  

I am assuming that you have users that want to be able to get their mail
from the Internet, right?  If so then unfortunately the best(?) way to
accomplish this ridiculousness with fw-1 is via either (a) SecuRemote (which
has its own problems I do not want to even address here) or (b) putting the
IMAP server in a secured DMZ and allowing IMAP traffic to pass only after
authenticating to the firewall (using some non-trivial authentication
mechanism, e.g. s/key, SecurID, /etc.).  And yes, doing it over SSL is a
Good Idea.

> Also, can anyone recommend a powerful, secure, compliant IMAP server?

I cannot =).

->me