On Thu, Mar 26, 2009 at 04:59:07PM -0700, Florin Andrei wrote: > I want to read my email on the iPhone. To do that, I have 2 options: > 1. VPN > 2. IMAP-over-SSL > > #1 is a bit convoluted, I already run a VPN server, with OpenVPN, but > the iPhone doesn't have an OpenVPN client. Running *two* VPN networks > seems excessive for a small personal server - not that the machine > cannot handle it, but it just feels too complicated for the task at hand. > > #2 would be easy to implement, just poke a hole in the firewall for the > imaps port. But then there's the issue of security, of course. > > I am running cyrus-imapd-2.3.7 on CentOS 5.x > > How comfortable y'all are with exposing Cyrus IMAPd's imaps port to the > big wild Internet? > Do you see the SELinux confinement as a must-have in this context, or > are you okay with running it without any such MAC protections? We don't actually use SSL directly within Cyrus, instead using nginx with SSL on our frontend servers, proxying to the backends. This is mainly for load balancing, but it does also mean that the nginx server can be run with zero privileges for anything else. It doesn't give any protection from authenticated users (once the login is finished, the traffic is just directly proxied to the backend), but it does mean unauthenticated users don't have direct access to the cyrus imapds. If you're paranoid, that might be worth doing! That said, like everyone else has mentioned - Cyrus has been around for a long time, and has a good security track record. Bron. ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
