mirror of
https://github.com/imapsync/imapsync.git
synced 2024-11-17 00:02:29 +01:00
314 lines
11 KiB
Plaintext
314 lines
11 KiB
Plaintext
#!/bin/cat
|
|
# $Id: FAQ.Security.txt,v 1.26 2021/07/11 12:11:38 gilles Exp gilles $
|
|
|
|
This document is also available online at
|
|
https://imapsync.lamiral.info/FAQ.d/
|
|
https://imapsync.lamiral.info/FAQ.d/FAQ.Security.txt
|
|
|
|
=======================================================================
|
|
Imapsync tips about security. Issues and solutions.
|
|
=======================================================================
|
|
|
|
Questions answered in this FAQ are:
|
|
|
|
Q. Is running this program a secure method of transferring emails?
|
|
Are there any security concerns?
|
|
|
|
Q. Does imapsync refer to SSL security protocols with --ssl1 and --ssl2
|
|
and does it refer to TLS security protocols with the --tls1 and --tls2
|
|
options?
|
|
Short answer: No.
|
|
|
|
Q. I noticed that the online UI has no option for TLS/SSL.
|
|
Is this secure?
|
|
Is this more secure than using the .bat file on my computer?
|
|
|
|
Q. Are transferred emails/attachments stored on any other
|
|
server/location aside from my originating/destination server(s)?
|
|
|
|
Q. Other than changing passwords on the originating/destination email
|
|
accounts once the relevant emails have been moved,
|
|
are there any other security tips I should know?
|
|
|
|
Q. I need to transfer mail from an imap server to another imap server.
|
|
Which ports need to be open on the firewall to make this possible?
|
|
|
|
Q. Does imapsync support the IMAP command STARTTLS?
|
|
|
|
Q. Does imapsync support IMAP over SSL/TLS (IMAPS)?
|
|
|
|
Q. How can I test an ssl/tls imap connection without imapsync?
|
|
|
|
Q. How can I manually test login using --ssl?
|
|
|
|
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
|
|
How can I change this back to the more secure SSL_VERIFY_PEER?
|
|
|
|
Q: How can I have an imaps server?
|
|
|
|
Now the questions again with their answers.
|
|
|
|
=======================================================================
|
|
Q. Is running this program a secure method of transferring emails?
|
|
Are there any security concerns?
|
|
|
|
R. Well, it depends. Use encryption and secure access to the host running
|
|
imapsync then everything shall be safe.
|
|
|
|
=======================================================================
|
|
Q. Does imapsync refer to SSL security protocols with --ssl1 and --ssl2
|
|
and does it refer to TLS security protocols with the --tls1 and --tls2
|
|
options?
|
|
Short answer: No.
|
|
|
|
R. No.
|
|
|
|
Imapsync behaviour:
|
|
|
|
--ssl: Goes to encryption before the imap session start.
|
|
The connection is on port 993.
|
|
Can use the TLS or SSL security protocols.
|
|
Fails if encryption cannot be established.
|
|
|
|
--tls: Goes to encryption after the imap session start but before the
|
|
credential are sent.
|
|
The connection is on port 143.
|
|
Can use the TLS or SSL securityprotocols.
|
|
Fails if encryption cannot be established.
|
|
|
|
Explanation:
|
|
|
|
To force transferring emails over an encrypted connection, you can use
|
|
the imapsync parameters --ssl1 and --ssl2 or the parameters --tls1 and
|
|
--tls2, they all force the connection to be encrypted by the security
|
|
protocols series SSL/TLS.
|
|
|
|
In a security context, SSL refers to all deprecated Secure Sockets
|
|
Layer protocols. TLS refers to the SSL successors, Transport Layer
|
|
Security protocols. But TLS 1.0 and TLS 1.1 are also deprecated.
|
|
|
|
Current endorsed versions of TLS are only TLS 1.2 and TLS 1.3 (July 2021).
|
|
|
|
The whole story is detailed here:
|
|
https://en.wikipedia.org/wiki/Transport_Layer_Security
|
|
|
|
Options --ssl1 and --ssl2 are a little more paranoid than --tls1 and
|
|
--tls2 because they verify that the hostname of the certificate is the
|
|
same as the one used by imapsync. Other than that, the security
|
|
behavior is the same.
|
|
|
|
=======================================================================
|
|
Q. I noticed that the online UI has no option for TLS/SSL.
|
|
Is this secure?
|
|
Is this more secure than using the .bat file on my computer?
|
|
|
|
R1. The online UI does TLS/SSL imap connections if the imap servers
|
|
support TLS/SSL.
|
|
|
|
If you are concerned about security then using the .bat file or .sh on
|
|
your computer should be more secure since you can examine and secure
|
|
it by yourself, no matter high is your paranoid spirit compared to
|
|
mine.
|
|
|
|
The online UI security is mine, I am concerned by security, not to the
|
|
utmost high level possible but I won't give you direct access to the
|
|
host to discover my level. With a good guy spirit, feel free to try
|
|
to break the online UI security and report me any security issue you
|
|
encounter, I'll do my best to fix them as soon as possible. Drop me a
|
|
note before starting because I may detect a sort of abuse and ban your
|
|
IPs.
|
|
|
|
=======================================================================
|
|
Q. Are transferred emails/attachments stored on any other
|
|
server/location aside from my originating/destination server(s)?
|
|
|
|
R. No!
|
|
|
|
=======================================================================
|
|
Q. Other than changing passwords on the originating/destination email
|
|
accounts once the relevant emails have been moved,
|
|
are there any other security tips I should know?
|
|
|
|
R. Yes. Secure the host where imapsync is running since credentials
|
|
are on it.
|
|
|
|
=======================================================================
|
|
Q. I need to transfer mail from an imap server to another imap server.
|
|
Which ports need to be open on the firewall to make this possible?
|
|
|
|
R. It depends. Open either:
|
|
* port 143 in basic (no special option) or tls mode (--tls1 or --tls2)
|
|
* port 993 in ssl mode (--ssl1 or --ssl2)
|
|
|
|
=======================================================================
|
|
Q. Does imapsync support the IMAP command STARTTLS?
|
|
|
|
R1. Yes.
|
|
|
|
Use --tls1 and --tls2 options:
|
|
|
|
--tls1 tells imapsync to use STARTTLS on host1.
|
|
--tls2 tells imapsync to use STARTTLS on host2.
|
|
|
|
R2. Since imapsync release 1.755 STARTTLS mode is activated
|
|
automatically when the server announces that it supports it by
|
|
listing STARTTLS inside the response to the CAPABILITY command.
|
|
If either --notls or --ssl are explicitly mentioned on the
|
|
command-line options then STARTTLS won't be done.
|
|
|
|
=======================================================================
|
|
Q. Does imapsync support IMAP over SSL/TLS (IMAPS)?
|
|
|
|
R. Yes natively since release 1.161.
|
|
Still, there are 2 ways, at least, to use ssl:
|
|
|
|
a) Use native --ssl1 and/or --ssl2 options
|
|
|
|
--ssl1 tells imapsync to use ssl/tls on host1.
|
|
--ssl2 tells imapsync to use ssl/tls on host2.
|
|
|
|
|
|
b) Use stunnel
|
|
http://www.stunnel.org/
|
|
Use stunnel3 command since stunnel now usually calls
|
|
stunnel4 or stunnel5 and the command line options syntax
|
|
has changed (option "-c" not recognized for example).
|
|
|
|
Assuming there is an imaps (993) server on imap.foo.org,
|
|
on your localhost machine (or bar machine), run:
|
|
|
|
stunnel3 -c -d imap -r imap.foo.org:imaps -f
|
|
|
|
or using numbers instead of names:
|
|
|
|
stunnel3 -c -d 143 -r imap.foo.org:993 -f
|
|
|
|
then use imapsync on localhost (or bar machine) imap (143) port.
|
|
If the local port 143 is already taken then use a free one,
|
|
like 10143 for example.
|
|
|
|
c) Another example for accessing Gmail with no local root access
|
|
to open port 143:
|
|
|
|
stunnel3 -P '' -c -d 9993 -r imap.gmail.com:993 -f
|
|
|
|
Then, to access Gmail as host2 use:
|
|
|
|
imapsync ... --host2 localhost --port2 9993 --nossl2
|
|
|
|
|
|
=======================================================================
|
|
Q.How can I test an ssl/tls imap connection without imapsync?
|
|
|
|
R1. Use either ncat or telnet-ssl or openssl commands like in the
|
|
following examples with imap.gmail.com server:
|
|
|
|
ncat --ssl -C imap.gmail.com 993
|
|
|
|
telnet-ssl -z ssl imap.gmail.com 993
|
|
|
|
openssl s_client -crlf -connect imap.gmail.com:993
|
|
|
|
The previous commands are interactive, hit ctrl-c
|
|
to finish them. If you want to finish automatically, then use:
|
|
|
|
{ sleep 2; echo "A LOGOUT"; sleep 1; } | ncat --ssl -C imap.gmail.com 993
|
|
|
|
|
|
=======================================================================
|
|
Q. How can I manually test login using --ssl?
|
|
|
|
R. Use either ncat or telnet-ssl or openssl commands like in the
|
|
following examples with imap.gmail.com server:
|
|
|
|
ncat --ssl -C imap.gmail.com 993
|
|
|
|
telnet-ssl -z ssl imap.gmail.com 993
|
|
|
|
openssl s_client -crlf -connect imap.gmail.com:993
|
|
|
|
Typical dialog for an imap LOGIN command:
|
|
|
|
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
|
|
A1 LOGIN "gilles.lamiral@gmail.com" "secret"
|
|
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
|
|
A1 OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
|
|
A2 LOGOUT
|
|
* BYE LOGOUT Requested
|
|
A2 OK 73 good day (Success)
|
|
|
|
The client part you have to type is
|
|
A1 LOGIN ...
|
|
A2 LOGOUT
|
|
while replacing ... by your credentials values,
|
|
other lines are the server responses.
|
|
|
|
=======================================================================
|
|
Q. How can I test a STARTTLS imap connection without imapsync?
|
|
|
|
R1. Use openssl command like the following example with
|
|
an outlook.office365.com server:
|
|
|
|
openssl s_client -crlf -starttls imap -connect outlook.office365.com:143
|
|
|
|
The previous commands are interactive, hit ctrl-c
|
|
to finish them. If you want to finish automatically, then use:
|
|
|
|
{ sleep 2; echo "a logout"; sleep 1; } | openssl s_client -crlf -starttls imap -connect outlook.office365.com:143
|
|
|
|
Replace outlook.office365.com with your imap server name.
|
|
|
|
======================================================================
|
|
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
|
|
How can I change this back to the more secure SSL_VERIFY_PEER?
|
|
|
|
|
|
R. After imapsync 1.673,
|
|
to set SSL_verify_mode to SSL_VERIFY_PEER on host1
|
|
and SSL_verify_mode to SSL_VERIFY_NONE on host2
|
|
|
|
imapsync ... --ssl1 --ssl2 \
|
|
--sslargs1 SSL_verify_mode=1 \
|
|
--sslargs2 SSL_verify_mode=0
|
|
|
|
See "perldoc IO::Socket::SSL" for all possibilities, also at
|
|
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL
|
|
|
|
It might be possible you need an extra option
|
|
|
|
--sslargs1 SSL_ca_file=/etc/ssl/certs/ca-certificates.crt
|
|
|
|
to help the ssl software verifying the server certificate.
|
|
The file ca-certificates.crt may be elsewhere on your system, even
|
|
named differently.
|
|
|
|
The imap server certificates are not checked for authenticity
|
|
by imapsync by default because too many imap servers are crappy
|
|
configured regarding certified certificates.
|
|
|
|
This default behavior is chosen like this because users
|
|
want their emails transferred, instead of being not transferred
|
|
because of an incompetent imap server sysadmin.
|
|
|
|
I admit that this part, checking imap ssl/tls certificates,
|
|
could be improved from my side by including well known
|
|
certificates directly in imapsync.
|
|
Drop me a note to encourage me, I'm lazy.
|
|
|
|
=======================================================================
|
|
Q: How can I have an imaps server?
|
|
|
|
R. Three solutions.
|
|
|
|
a) Install one
|
|
|
|
b) or use stunnel :
|
|
Assuming there is an imap (143) server on localhost
|
|
stunnel -d 993 -r 143 -f
|
|
|
|
c) or use stunnel on inetd
|
|
imaps stream tcp nowait cyrus /usr/sbin/stunnel -s cyrus -p /etc/ssl/certs/imapd.pem -r localhost:imap2
|
|
|
|
=======================================================================
|
|
=======================================================================
|