[Dovecot] Encryption solution for messages at rest

[Douglas Mortensen]

So I suppose you're not a fan of the email hosting systems on the planet that bundle many services onto 1 box. Thanks for the feedback.

-
Doug Mortensen
Network Consultant
Impala Networks
P: 505.327.7300

-----Original Message-----
From: dovecot-bounces at dovecot.org [mailto:dovecot-bounces at dovecot.org] On Behalf Of Alan Brown
Sent: Tuesday, October 29, 2013 10:05 AM
To: dovecot
Subject: [Dovecot] Encryption solution for messages at rest


> Date: Tue, 29 Oct 2013 08:54:04 +0100
> From: Robert Schetterer <rs at sys4.de>
> To: dovecot at dovecot.org
> Subject: Re: [Dovecot] Encryption solution for messages at rest
> Message-ID: <526F699C.9080402 at sys4.de>
> Content-Type: text/plain; charset=ISO-8859-1
>
>
> you shouldnt host mail/imap services on the same servers with massive 
> http hosting,


You shouldn't host anything else on a webserver FULLSTOP.

Webservers are best treated as "disposable" and should be heavily sandboxed. Any resources they can use should be vetted and ideally set as "read only"

Inbound external access should be firewalled down to the webserver ports and OUTBOUND traffic should be firewalled too (If it has no business initiating external connections then block all SYNs), in order to stop it becoming a DDoS zombie.

It's foolish (at best) to have mail servers running on a webserver, because if it's compromised it can immediately be used as a spam engine without much further effort.

At least if it has to hand mail off to another mailserver you have a chance to run outbound filtering on the emitted mail without worrying about that being compromised too.