IMAPsync/FAQ.d/FAQ.Security.txt

#!/bin/cat
# $Id: FAQ.Security.txt,v 1.26 2021/07/11 12:11:38 gilles Exp gilles $

This document is also available online at
https://imapsync.lamiral.info/FAQ.d/
https://imapsync.lamiral.info/FAQ.d/FAQ.Security.txt

=======================================================================
      Imapsync tips about security. Issues and solutions.
=======================================================================

Questions answered in this FAQ are:

Q. Is running this program a secure method of transferring emails?  
   Are there any security concerns?

Q. Does imapsync refer to SSL security protocols with --ssl1 and --ssl2 
   and does it refer to TLS security protocols with the --tls1 and --tls2
   options? 
   Short answer: No.

Q. I noticed that the online UI has no option for TLS/SSL. 
   Is this secure? 
   Is this more secure than using the .bat file on my computer?

Q. Are transferred emails/attachments stored on any other 
   server/location aside from my originating/destination server(s)?

Q. Other than changing passwords on the originating/destination email
   accounts once the relevant emails have been moved,
   are there any other security tips I should know?

Q. I need to transfer mail from an imap server to another imap server.
   Which ports need to be open on the firewall to make this possible?

Q. Does imapsync support the IMAP command STARTTLS?

Q. Does imapsync support IMAP over SSL/TLS (IMAPS)?

Q. How can I test an ssl/tls imap connection without imapsync?

Q. How can I manually test login using --ssl?

Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
   How can I change this back to the more secure SSL_VERIFY_PEER?

Q: How can I have an imaps server?

Now the questions again with their answers.

=======================================================================
Q. Is running this program a secure method of transferring emails?  
   Are there any security concerns?

R. Well, it depends. Use encryption and secure access to the host running
   imapsync then everything shall be safe.

=======================================================================
Q. Does imapsync refer to SSL security protocols with --ssl1 and --ssl2 
   and does it refer to TLS security protocols with the --tls1 and --tls2
   options? 
   Short answer: No.

R. No.

Imapsync behaviour:

--ssl: Goes to encryption before the imap session start. 
     The connection is on port 993. 
     Can use the TLS or SSL security protocols.
     Fails if encryption cannot be established.

--tls: Goes to encryption after the imap session start but before the
     credential are sent. 
     The connection is on port 143.  
     Can use the TLS or SSL securityprotocols.  
     Fails if encryption cannot be established.

Explanation:

To force transferring emails over an encrypted connection, you can use
the imapsync parameters --ssl1 and --ssl2 or the parameters --tls1 and
--tls2, they all force the connection to be encrypted by the security
protocols series SSL/TLS.

In a security context, SSL refers to all deprecated Secure Sockets
Layer protocols. TLS refers to the SSL successors, Transport Layer
Security protocols. But TLS 1.0 and TLS 1.1 are also deprecated.

Current endorsed versions of TLS are only TLS 1.2 and TLS 1.3 (July 2021).

The whole story is detailed here:
https://en.wikipedia.org/wiki/Transport_Layer_Security

Options --ssl1 and --ssl2 are a little more paranoid than --tls1 and
--tls2 because they verify that the hostname of the certificate is the
same as the one used by imapsync. Other than that, the security
behavior is the same.

=======================================================================
Q. I noticed that the online UI has no option for TLS/SSL. 
   Is this secure? 
   Is this more secure than using the .bat file on my computer?

R1. The online UI does TLS/SSL imap connections if the imap servers
support TLS/SSL. 

If you are concerned about security then using the .bat file or .sh on
your computer should be more secure since you can examine and secure
it by yourself, no matter high is your paranoid spirit compared to
mine.

The online UI security is mine, I am concerned by security, not to the
utmost high level possible but I won't give you direct access to the
host to discover my level.  With a good guy spirit, feel free to try
to break the online UI security and report me any security issue you
encounter, I'll do my best to fix them as soon as possible. Drop me a
note before starting because I may detect a sort of abuse and ban your
IPs.

=======================================================================
Q. Are transferred emails/attachments stored on any other 
   server/location aside from my originating/destination server(s)?

R. No!

=======================================================================
Q. Other than changing passwords on the originating/destination email
   accounts once the relevant emails have been moved,
   are there any other security tips I should know?

R. Yes. Secure the host where imapsync is running since credentials
   are on it.

=======================================================================
Q. I need to transfer mail from an imap server to another imap server.
   Which ports need to be open on the firewall to make this possible?

R. It depends. Open either:
    * port 143 in basic (no special option) or tls mode (--tls1 or --tls2)
    * port 993 in ssl mode (--ssl1 or --ssl2)

=======================================================================
Q. Does imapsync support the IMAP command STARTTLS?

R1. Yes. 

   Use --tls1 and --tls2 options:

  --tls1 tells imapsync to use STARTTLS on host1.
  --tls2 tells imapsync to use STARTTLS on host2.

R2. Since imapsync release 1.755 STARTTLS mode is activated
    automatically when the server announces that it supports it by
    listing STARTTLS inside the response to the CAPABILITY command.
    If either --notls or --ssl are explicitly mentioned on the
    command-line options then STARTTLS won't be done.

=======================================================================
Q. Does imapsync support IMAP over SSL/TLS (IMAPS)?

R. Yes natively since release 1.161. 
   Still, there are 2 ways, at least, to use ssl:

a) Use native --ssl1 and/or --ssl2 options

  --ssl1 tells imapsync to use ssl/tls on host1.
  --ssl2 tells imapsync to use ssl/tls on host2.


b) Use stunnel
   http://www.stunnel.org/
   Use stunnel3 command since stunnel now usually calls
   stunnel4 or stunnel5 and the command line options syntax 
   has changed (option "-c" not recognized for example).
   
   Assuming there is an imaps (993) server on imap.foo.org,
   on your localhost machine (or bar machine), run:

     stunnel3 -c -d imap -r imap.foo.org:imaps -f 

   or using numbers instead of names:

     stunnel3 -c -d 143 -r imap.foo.org:993  -f

   then use imapsync on localhost (or bar machine) imap (143) port.
   If the local port 143 is already taken then use a free one, 
   like 10143 for example.

c) Another example for accessing Gmail with no local root access 
   to open port 143:

   stunnel3 -P '' -c -d 9993 -r imap.gmail.com:993 -f 

Then, to access Gmail as host2 use:

  imapsync ... --host2 localhost --port2 9993 --nossl2 


=======================================================================
Q.How can I test an ssl/tls imap connection without imapsync?

R1. Use either ncat or telnet-ssl or openssl commands like in the 
    following examples with imap.gmail.com server:

  ncat --ssl -C imap.gmail.com 993

  telnet-ssl -z ssl  imap.gmail.com 993

  openssl s_client -crlf -connect imap.gmail.com:993

The previous commands are interactive, hit ctrl-c
to finish them. If you want to finish automatically, then use: 

  { sleep 2; echo "A LOGOUT"; sleep 1; } | ncat --ssl -C  imap.gmail.com 993


=======================================================================
Q. How can I manually test login using --ssl?

R. Use either ncat or telnet-ssl or openssl commands like in the 
    following examples with imap.gmail.com server:

  ncat --ssl -C imap.gmail.com 993

  telnet-ssl -z ssl  imap.gmail.com 993

  openssl s_client -crlf  -connect imap.gmail.com:993

Typical dialog for an imap LOGIN command:
  
* OK Gimap ready for requests from 78.196.254.58 q1mb175739668wix
A1 LOGIN "gilles.lamiral@gmail.com" "secret" 
* CAPABILITY IMAP4rev1 UNSELECT IDLE NAMESPACE ... ESEARCH
A1 OK gilles.lamiral@gmail.com Gilles Lamiral authenticated (Success)
A2 LOGOUT
* BYE LOGOUT Requested
A2 OK 73 good day (Success)

The client part you have to type is 
A1 LOGIN ... 
A2 LOGOUT
while replacing ... by your credentials values,
other lines are the server responses.

=======================================================================
Q. How can I test a STARTTLS imap connection without imapsync?

R1. Use openssl command like the following example with 
    an outlook.office365.com server:

  openssl s_client -crlf -starttls imap -connect outlook.office365.com:143

The previous commands are interactive, hit ctrl-c
to finish them. If you want to finish automatically, then use: 

  { sleep 2; echo "a logout"; sleep 1; } | openssl s_client -crlf -starttls imap -connect outlook.office365.com:143

Replace outlook.office365.com with your imap server name.

======================================================================
Q. Imapsync used to use SSL_VERIFY_PEER now it uses SSL_VERIFY_NONE.
   How can I change this back to the more secure SSL_VERIFY_PEER?


R. After imapsync 1.673, 
    to set SSL_verify_mode to SSL_VERIFY_PEER on host1
    and    SSL_verify_mode to SSL_VERIFY_NONE on host2

  imapsync ...  --ssl1 --ssl2  \
                --sslargs1 SSL_verify_mode=1 \
                --sslargs2 SSL_verify_mode=0 

See "perldoc IO::Socket::SSL" for all possibilities, also at
http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL

It might be possible you need an extra option

  --sslargs1 SSL_ca_file=/etc/ssl/certs/ca-certificates.crt 

to help the ssl software verifying the server certificate.
The file ca-certificates.crt may be elsewhere on your system, even 
named differently.

The imap server certificates are not checked for authenticity 
by imapsync by default because too many imap servers are crappy 
configured regarding certified certificates.

This default behavior is chosen like this because users
want their emails transferred, instead of being not transferred 
because of an incompetent imap server sysadmin.

I admit that this part, checking imap ssl/tls certificates, 
could be improved from my side by including well known 
certificates directly in imapsync.
Drop me a note to encourage me, I'm lazy.

=======================================================================
Q: How can I have an imaps server?

R. Three solutions.

a) Install one 

b) or use stunnel :
   Assuming there is an imap (143) server on localhost
        stunnel  -d 993 -r 143 -f

c) or use stunnel on inetd
   imaps stream  tcp nowait cyrus /usr/sbin/stunnel -s cyrus -p /etc/ssl/certs/imapd.pem -r localhost:imap2

=======================================================================
=======================================================================