zydronium/imapsync
1
0
Fork 0
mirror of https://github.com/imapsync/imapsync.git synced 2025-06-10 06:34:37 +02:00
Code Issues Projects Releases Packages Wiki Activity
imapsync/FAQ.d/FAQ.Security.txt
Nick Bebout 137242e609 1.727
2016-09-19 10:17:24 -05:00

132 lines
4.3 KiB
Text
Raw Blame History

#!/bin/cat
# $Id: FAQ.Security.txt,v 1.9 2016/08/19 17:53:21 gilles Exp gilles $
This documentation is also at http://imapsync.lamiral.info/#doc
=======================================================
Imapsync tips about security. Issues and solutions.
=======================================================
=======================================================================
Q. Does imapsync support IMAP TLS?
R. Use --tls1 and/or --tls2 options
--tls1 tells imapsync to use tls on host1.
--tls2 tells imapsync to use tls on host2.
=======================================================================
Q. Does imapsync support IMAP over SSL (IMAPS)?
R. Yes natively since release 1.161.
still, 2 ways, at least to use ssl:
a) Use native --ssl1 and/or --ssl2 options
--ssl1 tells imapsync to use ssl on host1.
--ssl2 tells imapsync to use ssl on host2.
b) Use stunnel
http://www.stunnel.org/
Assuming there is an imaps (993) server on imap.foo.org,
on your localhost machine (or bar machine) run :
stunnel -c -d imap -r imap.foo.org:imaps
or using names instead of numbers
stunnel -c -d 143 -r imap.foo.org:993
then use imapsync on localhost (or bar machine) imap (143) port.
If the local port 143 is already taken then use a free one, 10143.
c) Other example for gmail with no root access to open port 143
stunnel -f -P '' -c -d 9993 -r imap.gmail.com:993
Then, to access gmail as host2 use:
imapsync ... --host2 localhost --port2 9993 --nossl2
=======================================================================
Q. How can I manually test a login via ssl?
R. Use ncat or telnet-ssl like in this example:
ncat --ssl -C imap.gmail.com 993
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
a LOGIN "gilles.lamiral@gmail.com" "secret"
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
a OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
b LOGOUT
* BYE LOGOUT Requested
b OK 73 good day (Success)
The client part to type is "a LOGIN ..." and "b LOGOUT" without
the double-quotes.
=======================================================================
Q.How to test a ssl imap connection without imapsync?
R1.Use openssl command like the following,
an example with imap.gmail.com server:
openssl s_client -crlf -connect imap.gmail.com:993
The previous command is an interactive connection, hit ctrl-c
to finish it. If you want to finish it gently, then use:
{ sleep 2; echo "a logout"; sleep 1; } | openssl s_client -crlf -connect imap.gmail.com:993
======================================================================
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
How can I change this back to the more secure SSL_VERIFY_PEER?
R2. After imapsync 1.673,
to set SSL_verify_mode to SSL_VERIFY_PEER on host1
and SSL_verify_mode to SSL_VERIFY_NONE on host2
imapsync ... --ssl1 --ssl2 \
--sslargs1 SSL_verify_mode=1 \
--sslargs2 SSL_verify_mode=0
See perldoc IO::Socket::SSL for all possibilities, also at
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL
It might be possible you need an extra:
--sslargs1 SSL_ca_file=/etc/ssl/certs/ca-certificates.crt
to help the ssl software verifying the server certificate.
The file ca-certificates.crt may be elsewhere on your system, even
named differently.
=======================================================================
Q. How can I manually test a login via ssl?
R. Use ncat or telnet-ssl like in this example:
ncat --ssl -C imap.gmail.com 993
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
a LOGIN "gilles.lamiral@gmail.com" "secret"
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
a OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
b LOGOUT
* BYE LOGOUT Requested
b OK 73 good day (Success)
The client part to type is "a LOGIN ..." and "b LOGOUT" without
the double-quotes.
=======================================================================
Q: How to have an imaps server?
R.
a) Install one
b) or use stunnel :
Assuming there is an imap (143) server on localhost
stunnel -d 993 -r 143 -f
c) or use stunnel on inetd
imaps stream tcp nowait cyrus /usr/sbin/stunnel -s cyrus -p /etc/ssl/certs/imapd.pem -r localhost:imap2
Reference in a new issue View git blame Copy permalink