imapsync/FAQ.d/FAQ.Security.txt

#!/bin/cat
# $Id: FAQ.Security.txt,v 1.6 2016/02/07 21:49:52 gilles Exp gilles $

This documentation is also at http://imapsync.lamiral.info/#doc

=======================================================
  Imapsync tips about security. Issues and solutions.
=======================================================

=======================================================================
Q. Does imapsync support IMAP TLS?

R. Use --tls1 and/or --tls2 options

--tls1 tells imapsync to use tls on host1.
--tls2 tells imapsync to use tls on host2.


=======================================================================
Q. Does imapsync support IMAP over SSL (IMAPS)?

R. Yes natively since release 1.161. 
still, 2 ways, at least to use ssl:

a) Use native --ssl1 and/or --ssl2 options

--ssl1 tells imapsync to use ssl on host1.
--ssl2 tells imapsync to use ssl on host2.


b) Use stunnel
   http://www.stunnel.org/
   Assuming there is an imaps (993) server on imap.foo.org,
   on your localhost machine (or bar machine) run :
       stunnel -c -d imap -r imap.foo.org:imaps
   or using names instead of numbers 
       stunnel -c -d 143 -r imap.foo.org:993
   then use imapsync on localhost (or bar machine) imap (143) port.
   If the local port 143 is already taken then use a free one, 10143.

c) Other example for gmail with no root access to open port 143

   stunnel -f -P '' -c -d 9993 -r imap.gmail.com:993

Then, to access gmail as host2 use:

  imapsync ... --host2 localhost --port2 9993 --nossl2 


=======================================================================
Q. How can I manually test a login via ssl?

R. Use ncat or telnet-ssl like in this example:

ncat --ssl -C  imap.gmail.com 993
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
a LOGIN "gilles.lamiral@gmail.com" "secret" 
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
a OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
b LOGOUT
* BYE LOGOUT Requested
b OK 73 good day (Success)

The client part to type is "a LOGIN ..." and "b LOGOUT" without
the double-quotes. 


======================================================================
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
   How can I change this back to the more secure SSL_VERIFY_PEER?


R1. In function "sub set_ssl", replace 
  IO::Socket::SSL::SSL_VERIFY_NONE()
by
  IO::Socket::SSL::SSL_VERIFY_PEER()

R2. After imapsync 1.673, for example
    to set SSL_verify_mode to SSL_VERIFY_PEER on host1
    and    SSL_verify_mode to SSL_VERIFY_NONE on host2

  imapsync ...  --ssl1 --ssl2  \
                --sslargs1 SSL_verify_mode=1 \
                --sslargs2 SSL_verify_mode=0 \

See perldoc IO::Socket::SSL for all possibilities, also at
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL

C1. Don't do this manual change in function "sub set_tls",  
    it won't work by principle, because tls is done AFTER 
	the application level connexion is established.


=======================================================================
Q. How can I manually test a login via ssl?

R. Use ncat or telnet-ssl like in this example:

ncat --ssl -C  imap.gmail.com 993
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
a LOGIN "gilles.lamiral@gmail.com" "secret" 
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
a OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
b LOGOUT
* BYE LOGOUT Requested
b OK 73 good day (Success)

The client part to type is "a LOGIN ..." and "b LOGOUT" without
the double-quotes. 


=======================================================================
Q: How to have an imaps server?

R. 
a) Install one 

b) or use stunnel :
   Assuming there is an imap (143) server on localhost
        stunnel  -d 993 -r 143 -f

c) or use stunnel on inetd
   imaps stream  tcp nowait cyrus /usr/sbin/stunnel -s cyrus -p /etc/ssl/certs/imapd.pem -r localhost:imap2