[wplug-bsd] Dovecot IMAP and FreeBSD

Tom Rhodes trhodes at FreeBSD.org
Fri Nov 12 11:14:04 EST 2004 

On Fri, 12 Nov 2004 08:23:10 -0500
Bill Moran <wmoran at potentialtech.com> wrote:

> Brandon Kuczenski <brandon at 301south.net> wrote:
> > Bill -- IIRC, you recommended the 'dovecot' IMAP client.  I installed the
> > port because it seems to do everything I want it to do, and be
> > straightforward to configure.
> > 
> > However, because I anticipate that IMAP will be the most-used service of
> > this box once I enable it (replacing ssh), I want to make sure I got the
> > security right.
> > 
> > First of all, I don't have to use SSL as long as I use an md5-style
> > password-hashing routine, right?  Then passwords are encrypted but emails
> > themselves are sent in plaintext?
> 
> That's correct.  Personally, I don't consider this secure enough.  I
> prefer to encrypt so my mails can't be read in transit, but I'm pretty
> paranoid.

This could be done in most Unix systems by plugging GnuPG into the
email client; many MUAs support it (sylpheed, pine, ...).

> 
> > Second, I don't want my users to use their shell account passwords for
> > IMAP.  It looks as though I can specify one file (say, /etc/passwd) for
> > the user database, and then use a separate file (say, /etc/imap.passwd)
> > for the password repository.  My question: how do I create the password
> > hashes that go in that password file?
> 
> I dodged this problem by using SSL and forcing users to send their
> passwords in the "clear" (which really isn't in the clear, since it's
> SSL encrypted)  I'm also keeping the user list in MySQL (although I
> plan to move to Postgres).

Did you have to give out user certificates though?

> 
> However, if you use the pw command to maintain your password files (which
> is a PITA, but works) you can use -V to give it an alternate location
> for the files.

... pw(8) was never designed to be used by mere mortals.  :P

> 
> > I think those are all my questions.  Then, am I correct in saying that
> > I can open port 143 (and, obviously, start dovecot) and people can connect
> > to port 143, authenticate securely, and read their mail from remote?
> 
> Sounds like you're on the right track.

Want to be cool?  Write up walk through for people.  :)

-- 
Tom Rhodes

More information about the wplug-bsd mailing list