Tag Archives: secure

Secure DreamHost Mail Settings

Even though the settings aren’t listed on http://wiki.dreamhost.com/POP3_Accounts, DreamHost supports secure POP3, IMAP, SNMP, and webmail access.

  • Server: mail.dreamhost.com – use this, because the mailserver’s certificate is issued for this domain name. This works even though DreamHost says to use mail.<yourdomain.com>
  • POP3 using SSL/TLS: Port 993
  • IMAP using SSL/TLS: Port 995
  • SMTP using STARTTLS: Port 587 or 25
  • Webmail: https://webmail.dreamhost.com – Make sure you enter “https:”, because DreamHost does not automatically upgrade a http connection to https.
  • Username: <username>@<yourdomain.com>

If you want to use STARTTLS for POP3 or IMAP, use the following ports:

  • POP3: Port 110
  • IMAP: Port 143

I recommend using SSL/TLS when possible. Since a STARTTLS session begins as plaintext, because it just adds one (admittedly minor) point of attack. You have to perform a SSL/TLS handshake anyway, why expose yourself to the risk of a STARTTLS upgrade failure too?

Restricting WordPress Admin Access

Following up on Securing Administration of Shared Hosting, if you can restrict access to your administrative pages to a specific IP address or addresses.

This works best if you’re tunneling your traffic to your webserver though ssh, because your IP address may be changing, if you’re using hotspots or if your ISP changes your IP address. This is done though a simple update to the .htaccess file. Edit or create /wp-admin/.htaccess so it contains:
ErrorDocument 403 http://www.tidgubi.com/
Order Allow,Deny
Allow from 208.113.186.

The first line changes the “Unauthorized” behavior to simply redirect to my homepage. Otherwise the webserver seems to try to serve the error page from /wp-admin/ and ends up in a redirect loop.

The second line makes the allow/deny decision to default to deny unless there is a specific allow directive (https://httpd.apache.org/docs/2.0/mod/mod_access.html#order)

The last line specifies the IP address or partial IP address to allow. I assume Dreamhost uses load balancing and/or virtual servers, so I didn’t want to restrict access to a single IP address, but figured the IP range would be restrictive enough.