How do I configure apf so that IMAP will connect only to 127.0.0.1? (Stealthing the port for all others)

Rationale:
I see daily IMAP connections logged in /var/log/maillog, that are obviously attempts at an IMAP exploit. (Known buffer overflow exploits) I don't know if the IMAP on pVPS is vulnerable, but if nothing else these attempts add needless traffic.

I connect to IMAP thru an SSH tunnel, so have no need for IMAP to make a remote connection. (Tunnelier) I therefore prefer to shut down IMAP for all except localhost.

Hi,

Try remove imap port 143 from IG_TCP_CPORTS in conf.apf and whitelist localhost (127.0.0.1) in /etc/apf/allow_hosts.rules, something like

tcp:in:d=143:s=127.0.0.1 or give your server ip there and try

Please open a support ticket if you would like us to try it for you.

Hi,

Try remove imap port 143 from IG_TCP_CPORTS in conf.apf and whitelist localhost (127.0.0.1) in /etc/apf/allow_hosts.rules, something like

tcp:in:d=143:s=127.0.0.1 or give your server ip there and try

Please open a support ticket if you would like us to try it for you.

Hi Veena. Works exactly as I wanted. Attempts to connect to IMAP port with Mozilla Thunderbird now result in timeout. I can still access IMAP thru the SSH tunnel. Perfect.

Sorry for the random question, but is IMAP through SSH more secure than IMAP through SSL? I'm not overtly concerned about security, but I'm curious.

Thanks.

Chief, you are asking the wrong guy about that. From my perspective, they look equally secure. Meaning, with either one it would be more expensive to break than anybody could possibly gain from my sites.

I use an SSH client to manage my site because it supports sftp. Plus, the SSH client I use, Bitvise Tunnelier, supports ftp to sftp bridging, so I can use whatever ftp client I like securely. (I happen to like ftp explorer because of the ability to store unlimited connection profiles. The ftp to sftp bridging also makes it easy to use FrontPage securely) Secure IMAP and SMTP are simply extra benefits because of the port forwarding capability.

I got started with using SSH so that I could securely connnect to any hotel broadband connection, whether Wifi or wired LAN based, and do all of my online site management with complete privacy.