[wplug-bsd] Dovecot IMAP and FreeBSD

[Bill Moran]

Brandon Kuczenski <brandon at 301south.net> wrote:
> Bill -- IIRC, you recommended the 'dovecot' IMAP client.  I installed the
> port because it seems to do everything I want it to do, and be
> straightforward to configure.
> 
> However, because I anticipate that IMAP will be the most-used service of
> this box once I enable it (replacing ssh), I want to make sure I got the
> security right.
> 
> First of all, I don't have to use SSL as long as I use an md5-style
> password-hashing routine, right?  Then passwords are encrypted but emails
> themselves are sent in plaintext?

That's correct.  Personally, I don't consider this secure enough.  I
prefer to encrypt so my mails can't be read in transit, but I'm pretty
paranoid.

> Second, I don't want my users to use their shell account passwords for
> IMAP.  It looks as though I can specify one file (say, /etc/passwd) for
> the user database, and then use a separate file (say, /etc/imap.passwd)
> for the password repository.  My question: how do I create the password
> hashes that go in that password file?

I dodged this problem by using SSL and forcing users to send their
passwords in the "clear" (which really isn't in the clear, since it's
SSL encrypted)  I'm also keeping the user list in MySQL (although I
plan to move to Postgres).

However, if you use the pw command to maintain your password files (which
is a PITA, but works) you can use -V to give it an alternate location
for the files.

> I think those are all my questions.  Then, am I correct in saying that
> I can open port 143 (and, obviously, start dovecot) and people can connect
> to port 143, authenticate securely, and read their mail from remote?

Sounds like you're on the right track.

-- 
Bill Moran
Potential Technologies
http://www.potentialtech.com