[KLUG Members] webmail, firewall

[Adam Williams]

>I have a private lan behind a firewall. I have a sendmail server sitting
>outside. I run NIS on my private server. I have ssh on all the machines
>and the perimeter firewall around them all blocks everything except ssh to
>the SMTP and inner firewall, and of course SMTP to the sendmail server.
>There are other subnets inside the perimeter firewall and my firewall/SMTP
>server that I don't trust nor control.
>I don't allow logins the SMTP server and I have an IMAP server on my
>private server.
>1) Should I be worried about users checking thier mail using IMAP, arn't
>the passwords sent in the clear? 

Yes, they are sent in the clear.  The current batch of IMAP servers (both 
uw and cyrus) support SSL.

>I can't tell if they keep separate
>passwords for thier email and network accounts.
>Also, higher ups don't like to sshing through the firewall and then to the
>server before logging into the IMAP to check thier mail while traveling.

Weenies! :)

>They would like webmail.

IMP (http://www.horde.org)
 
>2) What is a good way to deal with this? 

Drop SSH as a remote access tool, setup a VPN server.  Then they can be 
"on the network" from remote.  All internal services are magically (albiet 
slowly) available thanks to proxy-arp

>put a www and webmail app on the
>SMTP machine? Can I put a 128SSL certificate on the webmail site and feel
>safe? 

You could,  that would be satisfactory.

>Would the password be encrypted all the way?
 
Yess if the session in encrypted via SSL.