Hi all,
The subject says it all: Is it safe to expose a scalix 9.4 imap port directly to the internet, or are there all kinds of security vulnerabilities I don't know about?
I'm asking, because I don't read much about scalix security problems. Does that mean there are none, or that they are repaired in silence with every new version that comes out?
Regards,
mj
expose scalix 9.4 imap port to internet
Moderators: ScalixSupport, admin
-
heupink
- Posts: 146
- Joined: Thu Jul 15, 2004 9:36 am
- Location: netherlands
- Contact:
-
btisdall
- Scalix Star
- Posts: 373
- Joined: Tue Nov 22, 2005 12:13 pm
- Contact:
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
That is the real question."Is it safe to continue using scalix 9.4 ..?"
I don't go back that far on scalix, so I don't know if hackers can craft a command string that will break the server or let the hacker gain privileged access to the OS. This might be something for the old-timers with scalix to tell you. That could affect other ports too, even SSL or the connector ports. But security risk can also be due to weakness on the OS, such as the one used at the time v9.4 was released.
So, if that is the case and you are concerned, what can you do?
1) upgrade the OS.
2) upgrade Scalix
3) Don't give Scalix access to any client on the internet, ie, block all scalix ports: 25, 143, 465, 993, 5729. Instead only give SWA access.
4) Use some sort of a "bridge" to give clients on the internet safe access to your server, as suggested in the previous post. Another workaround is a VPN between client/server. Those can be a very taxing proposition, not only on you (on the server side), but specially on the end-users. Obviously this is not for everyone.
You should seriously consider the upgrade path.
Jaime||||||||||||||||||||||||||||||||||||||||
-
heupink
- Posts: 146
- Joined: Thu Jul 15, 2004 9:36 am
- Location: netherlands
- Contact:
Currently we are using the vpn option: nothing is exposed to the internet, to check mail, you need to setup vpn first.
This works fine, but with too many clients outside (so: vpn) at the same time, we are running into bandwidth problems. Things get slow.
That's why i asked about exposing the imap port. I know all the risks about the older operating system, etc, I just never read about scalix security issues.
Anyway, give your answers, we'll just continue to use the vpn solution, until the time has come to upgrade the os and also scalix itself.
Thanks!
This works fine, but with too many clients outside (so: vpn) at the same time, we are running into bandwidth problems. Things get slow.
That's why i asked about exposing the imap port. I know all the risks about the older operating system, etc, I just never read about scalix security issues.
Anyway, give your answers, we'll just continue to use the vpn solution, until the time has come to upgrade the os and also scalix itself.
Thanks!
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
You are not completely out of options yet. If you still want to keep your "old" server I can think of at least 4 other options:
1) move the VPN server to another server (very fast), and have that proxy the connections to the scalix server for you, including the connector for OL clients
2) Depending on your firewall, open all email ports and let it do the screen for malicious traffic. CheckPoint for example has a feature called "Smart Defense" which is quite impressive. That's what we use.
3) Use another server to do port forwarding for you. This can be substantially hardened to do the same job the previous option would do: sniff for malicious strings. You could also change the ports from the standard email ports, to something above 10000, and only inform your clients about it.
4) Since you only mentioned IMAP I assuming you don't care for MAPI to some of this clients. So you could setup yet another server (same as in 3), with SquirrelMail for example, and give that as a webmail alternative to SWA, and relieve the pressure on the scalix server. I also have that in our setup, but because some clients prefer SquirrelMail over SWA (me included)
1) move the VPN server to another server (very fast), and have that proxy the connections to the scalix server for you, including the connector for OL clients
2) Depending on your firewall, open all email ports and let it do the screen for malicious traffic. CheckPoint for example has a feature called "Smart Defense" which is quite impressive. That's what we use.
3) Use another server to do port forwarding for you. This can be substantially hardened to do the same job the previous option would do: sniff for malicious strings. You could also change the ports from the standard email ports, to something above 10000, and only inform your clients about it.
4) Since you only mentioned IMAP I assuming you don't care for MAPI to some of this clients. So you could setup yet another server (same as in 3), with SquirrelMail for example, and give that as a webmail alternative to SWA, and relieve the pressure on the scalix server. I also have that in our setup, but because some clients prefer SquirrelMail over SWA (me included)
Last edited by jaime.pinto on Sun Sep 02, 2007 8:59 am, edited 1 time in total.
Jaime||||||||||||||||||||||||||||||||||||||||
-
heupink
- Posts: 146
- Joined: Thu Jul 15, 2004 9:36 am
- Location: netherlands
- Contact:
right!
I never thought of that last option! Of course. Scalix is a regular imap server, so I can use any web access I want next to the old 9.4 swa.
This is a very good idea. :-) This way I can keep my old server, and still offer safe email remote access to the internet. :-)
Thanks very much.
Anything specific I have to keep in mind, when installing squirrelmail with scalix?
Regards!
Mourik jan
I never thought of that last option! Of course. Scalix is a regular imap server, so I can use any web access I want next to the old 9.4 swa.
This is a very good idea. :-) This way I can keep my old server, and still offer safe email remote access to the internet. :-)
Thanks very much.
Anything specific I have to keep in mind, when installing squirrelmail with scalix?
Regards!
Mourik jan
-
jaime.pinto
- Scalix Star
- Posts: 709
- Joined: Fri Feb 23, 2007 6:50 pm
- Location: Toronto - Canada
Not if you're going to install it on another server. There is a config.php file that you edit to tell it what your Scalix server IP is. You could also use another very good webmail access as well: Horde.
But if your install in the same server as scalix (as we did) you have to craft the the documents root an redirections carefully. For example, we have the default URL to SWA, /m for mobile, /s for SquirrelMail and /h for Horde.
PS: Horde has the potential to be fully integrated with Scalix Calendar and Contacts if someone wants to take on that challenge. It you be just as nice as Funambol.
But if your install in the same server as scalix (as we did) you have to craft the the documents root an redirections carefully. For example, we have the default URL to SWA, /m for mobile, /s for SquirrelMail and /h for Horde.
PS: Horde has the potential to be fully integrated with Scalix Calendar and Contacts if someone wants to take on that challenge. It you be just as nice as Funambol.
Jaime||||||||||||||||||||||||||||||||||||||||
Who is online
Users browsing this forum: No registered users and 5 guests