[Dovecot] Ideas for Webmail/OTP

Phillip T. George Phillip at StellarDreams.com
Mon Jul 23 20:00:34 EEST 2007


Charles Marcus wrote:
> On 7/23/2007, Frank Behrens (frank at pinky.sax.de) wrote:
>> I want to discuss some problems/enhancements for dovecot in a 
>> webmail/otp setup.
>>
>> For access to an IMAP server like dovecot I see different client types:
>> a) a "normal" MUA installed in a more or less trusted environment
>> b) remote access via "webmail" from untrusted environments
>
> What about:
> c) a "normal" MUA accessing via the internet from  untrusted environments
>
> This is the recommended way all of our users access their email - 
> webmail is just for the occasional access from a friends or other 
> computer that they don't use regularly.
>
>> For a) I see with dovecot and other IMAP servers no problems, tricky 
>> is the setup for b).
>
> Webmail is very easy to do...
>
>> If you use a webmail client in an untrusted environment the risk is
>> high, that keyloggers and  other malware steal your password.
>
> Eh? Thats what SSL/TLS is for... I agree that providing access - 
> either via webmail or any other MUA - on an unsecured connection from 
> an untrusted source is very hazardous - but setting up SSL is fairly 
> simple too, and I even force SSL/TLS on all of my connections even 
> inside our trusted network (no reason not to - the extra overhead is 
> very small).
>
SSL/TLS is not going to solve the keylogger and malware problem.  
Basically, if you're on a public (or even a friend's) computer and 
someone decides to monitor keystrokes using some application, your 
password will be completely compromised.
> Sorry, but I don't understand the problem you are trying to solve...
>


More information about the dovecot mailing list