Firewall Question: Gave bad advice, ask others on list again...

Mon May 17 11:43:06 PDT 2004

Greets list, Jim;

As I stated before, I am inexperienced about IMAP
before I replied to you, and therefore failed to answer your 
question properly.  I've read a little more, since I felt something
was wrong about my reply... :(

First off, you must disable IDENTD daemon or service from the
firewall, since this service will provide a cracker some
simple information about your firewall quite easily.  I apologize
for communicating this piece of bad info to you.

What I meant to say was the identd daemon on the clients computer,
which you've have stated you removed, should be installed and 
running;  

Second, IMAP does require an "active" TCP connection to the client
when the server is accessed, because the client is able to 
selectively choose the message headers he/she wants from the
central file server, and then download what they like. 

A high port number TCP connection is required for the IMAPS 
mailserver to work, since IMAP permits the client to "work
on the server" which explains your logs and your observation of
the IMAP server attempting re-connection after packets from it
are dropped.

This is explained within the IMAP RFC 2060;

The Internet Message Access Protocol, Version 4rev1 (IMAP4rev1) allows a client to access and manipulate electronic mail messages on a server. IMAP4rev1 permits manipulation of remote message folders, called "mailboxes", in a way that is functionally equivalent to local mailboxes. IMAP4rev1 also provides the capability for an offline client to resynchronize with the server (see also [IMAP-DISC]).

--- snipped for length ---

Therefore, you could attempt to activate identd on a single client
for testing purposes, and test to see if this solves your problem.

If not, you may left with having to "punch a hole" in the firewall, 
and create a limited number of monitored ports to permit the server 
to talk to the clients. 

It would require you to filter the firewall packets on the firewall
protecting your clients, to confirm they are comming from the 
imap server and permit them to pass, rejecting all others.

Jim Bonnet <jimbo at sysdump.com> wrote:

>Tom- Thanks for the reply. I have specifically disabled identd on my 
>imap server because many of our users are behind firewalls that don't 
>pass identd.
>
>I have also enabled for the heck of it identd on my firewall.. This 
>didnt change anything.
>
>It is not a consisstant port, it is like other services, it is picking a 
>random really high port.
>
>I'll read thru that info you sent.
>
>Im not waiting for the ident timeout anymore after turning it off on the 
>  server. What I do see is that when IMAPS tries to do whatever he's 
>doing making a connection back to me on a blocked port is that the next 
>time I check a imap mailbox it needs to re-authenticate.
>
>Thanks alot-
>Jim
>
>
>
>tom wrote:
>> Greets list, Jim;
>> 
>> Jim Bonnet <jimbo at sysdump.com> wrote:
>> 
>> 
>>>Could someone enlighten me on the finer aspects of firewalling.
>> 
>> 
>> I'll try.  Although I'm a comparitive newbie, I think I can expand
>> on your question a little, from what little I know.  I hope not
>> to make any mistakes, but I'm sure we'll hear about it here :)

---tm---
Linux Registration Number; 184093, 
http://counter.li.org

__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp 

Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/