[Dovecot] Encryption solution for messages at rest
Alan Brown
ajb2 at mssl.ucl.ac.uk
Tue Oct 29 18:03:47 EET 2013
> Date: Tue, 29 Oct 2013 08:54:04 +0100
> From: Robert Schetterer <rs at sys4.de>
> To: dovecot at dovecot.org
> Subject: Re: [Dovecot] Encryption solution for messages at rest
> Message-ID: <526F699C.9080402 at sys4.de>
> Content-Type: text/plain; charset=ISO-8859-1
>
>
> you shouldnt host mail/imap services on the same servers with massive
> http hosting,
You shouldn't host anything else on a webserver FULLSTOP.
Webservers are best treated as "disposable" and should be heavily
sandboxed. Any resources they can use should be vetted and ideally set
as "read only"
Inbound external access should be firewalled down to the webserver ports
and OUTBOUND traffic should be firewalled too (If it has no business
initiating external connections then block all SYNs), in order to stop
it becoming a DDoS zombie.
It's foolish (at best) to have mail servers running on a webserver,
because if it's compromised it can immediately be used as a spam engine
without much further effort.
At least if it has to hand mail off to another mailserver you have a
chance to run outbound filtering on the emitted mail without worrying
about that being compromised too.
More information about the dovecot
mailing list