Mirrors/imapsync
1
0
Fork 0
mirror of https://github.com/imapsync/imapsync.git synced 2024-11-17 00:02:29 +01:00
Code Issues Releases Activity
542d5057ea
imapsync/FAQ.d/FAQ.Security.txt
Nick Bebout 62531f58cd 1.920
2019-07-02 18:17:46 -05:00

218 lines
7.7 KiB
Plaintext
Raw Blame History

#!/bin/cat
# $Id: FAQ.Security.txt,v 1.19 2018/09/13 17:53:45 gilles Exp gilles $
This document is also available online at
https://imapsync.lamiral.info/FAQ.d/
https://imapsync.lamiral.info/FAQ.d/FAQ.Security.txt
=======================================================================
Imapsync tips about security. Issues and solutions.
=======================================================================
SSL: going to encryption before the imap session start.
It is on port 993.
TLS: going to encryption after the imap session start but before
the credential are sent. It is on port 143.
=======================================================================
Q. Is running this program a secure method of transferring emails?
Are there any security concerns?
R. Well, it depends. Use encryption, secure the access to the host running
imapsync and everything shall be safe.
=======================================================================
Q. I noticed that the online UI has no option for TLS/SSL
Is this secure? Is this more secure that using the .bat file
on my computer?
R1. The online UI does TLS/SSL imap connections if the imap
servers support TLS/SSL. If you are concerned by security then
using the .bat file or .sh on your computer should be more secure
since you can examine and secure it by yourself, no matter high is
your paranoïd spirit. The online UI security is mine, I am
concerned by security, not to the upmost high level possible
but I won't give you direct access to the host to discover my level.
With a good guy spirit, feel free to try to break the online UI
security and report me any security issue you encounter, I'll do my
best to fix them as soon as possible. Drop me a note before
starting because I may detect a sort of abuse and ban
definitively your IPs.
=======================================================================
Q. Are transferred emails/attachments stored on any other
server/location aside from my originating/destination server(s)?
R. No!
=======================================================================
Q. Other than changing passwords on the originating/destination email
accounts once the relevant emails have been moved,
are there any other security tips I should know?
R. Secure the host where imapsync is running since credentials are
on it.
=======================================================================
Q. I need to transfer mail from an imap server to an other imap server.
Which ports need to be open on the firewall to make this possible?
R. It depends. Open either:
* port 143 in basic (no special option) or tls mode (--tls1 or --tls2)
* port 993 in ssl mode (--ssl1 or --ssl2)
=======================================================================
Q. Does imapsync support IMAP TLS?
R1. Yes.
Use --tls1 and/or --tls2 options:
--tls1 tells imapsync to use tls on host1.
--tls2 tells imapsync to use tls on host2.
R2. Since imapsync release 1.755 TLS mode is activated automatically
if the server announce it supports it, STARTTLS inside the response
to CAPABILITY, and if neither --notls nor --ssl is explicitely
mentioned on the command line options.
=======================================================================
Q. Does imapsync support IMAP over SSL (IMAPS)?
R. Yes natively since release 1.161.
Still, there are 2 ways, at least, to use ssl:
a) Use native --ssl1 and/or --ssl2 options
--ssl1 tells imapsync to use ssl on host1.
--ssl2 tells imapsync to use ssl on host2.
b) Use stunnel
http://www.stunnel.org/
Use stunnel3 command since stunnel now usually calls
stunnel4 or stunnel5 and the command line options syntax
has changed (option "-c" not recognized for example).
Assuming there is an imaps (993) server on imap.foo.org,
on your localhost machine (or bar machine), run:
stunnel3 -c -d imap -r imap.foo.org:imaps -f
or using numbers instead of names:
stunnel3 -c -d 143 -r imap.foo.org:993 -f
then use imapsync on localhost (or bar machine) imap (143) port.
If the local port 143 is already taken then use a free one,
like 10143 for example.
c) Other example for accessing gmail with no local root access
to open port 143
stunnel3 -P '' -c -d 9993 -r imap.gmail.com:993 -f
Then, to access gmail as host2 use:
imapsync ... --host2 localhost --port2 9993 --nossl2
=======================================================================
Q.How can I test an ssl imap connection without imapsync?
R1. Use either ncat or telnet-ssl or openssl commands like in the
following examples with imap.gmail.com server:
ncat --ssl -C imap.gmail.com 993
telnet-ssl -z ssl imap.gmail.com 993
openssl s_client -crlf -connect imap.gmail.com:993
The previous commands are interactive, hit ctrl-c
to finish them. If you want to finish automatically, then use:
{ sleep 2; echo "a logout"; sleep 1; } | ncat --ssl -C imap.gmail.com 993
=======================================================================
Q. How can I manually test a login via ssl?
R. Use either ncat or telnet-ssl or openssl commands like in the
following examples with imap.gmail.com server:
ncat --ssl -C imap.gmail.com 993
telnet-ssl -z ssl imap.gmail.com 993
openssl s_client -crlf -connect imap.gmail.com:993
Tipical dialog for an imap LOGIN command:
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
a LOGIN "gilles.lamiral@gmail.com" "secret"
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
a OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
b LOGOUT
* BYE LOGOUT Requested
b OK 73 good day (Success)
The client part you have to type is
a LOGIN ...
b LOGOUT
while replacing ... by your credentials values.
=======================================================================
Q.How can I test an tls imap connection without imapsync?
R1. Use openssl command like the following example with
an outlook.office365.com server:
openssl s_client -crlf -starttls imap -connect outlook.office365.com:143
The previous commands are interactive, hit ctrl-c
to finish them. If you want to finish automatically, then use:
{ sleep 2; echo "a logout"; sleep 1; } | openssl s_client -crlf -starttls imap -connect outlook.office365.com:143
Replace outlook.office365.com with your imap server name.
======================================================================
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
How can I change this back to the more secure SSL_VERIFY_PEER?
R2. After imapsync 1.673,
to set SSL_verify_mode to SSL_VERIFY_PEER on host1
and SSL_verify_mode to SSL_VERIFY_NONE on host2
imapsync ... --ssl1 --ssl2 \
--sslargs1 SSL_verify_mode=1 \
--sslargs2 SSL_verify_mode=0
See perldoc IO::Socket::SSL for all possibilities, also at
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL
It might be possible you need an extra:
--sslargs1 SSL_ca_file=/etc/ssl/certs/ca-certificates.crt
to help the ssl software verifying the server certificate.
The file ca-certificates.crt may be elsewhere on your system, even
named differently.
=======================================================================
Q: How to have an imaps server?
R.
a) Install one
b) or use stunnel :
Assuming there is an imap (143) server on localhost
stunnel -d 993 -r 143 -f
c) or use stunnel on inetd
imaps stream tcp nowait cyrus /usr/sbin/stunnel -s cyrus -p /etc/ssl/certs/imapd.pem -r localhost:imap2
=======================================================================
=======================================================================
View Git Blame Copy Permalink