Exposing IMAP server to Internet: DMZ or Port Forwarding?

Solution 1:

Port-forwarding the IMAP from the Internet to the LAN means adding a pretty selective forwarding rule. You don't have ugly things like dynamic port assignment happening on the server side (like you would with protocols like FTP or MSRPC). The exposure to the LAN is minimal, to my mind. You're relying on the IP stack on your IMAP server not to do anything stupid (since you're giving unsolicited inbound IP access to the server) and you're relying on the IMAP server software itself not to do anything stupid.

With the DMZ scenario you describe you're limiting direct IP connectivity for the IMAP server to the Internet, and you're limiting the extent to which the IMAP server doing something stupid can expose you to risk. You're trading the risk of direct IP connectivity to the IMAP server with direct IP connectivity to the IMAP proxy server, and you're relying on the IMAP proxy server software not to do anything stupid. There's still the possibility in this scenario that a vulnerability in the IMAP server could be exploited via the IMAP proxy, depending on how "stateful" the IMAP proxy is and how much "sanity checking" it does.

To my mind the DMZ approach is adding moving parts and complexity without adding much real security. I think you'd be better served port-forwarding to the LAN and using the effort you would've spent on the DMZ / IMAP proxy approach with making sure that you've got good logging for the IMAP server, password / lockout policies that resist brute force password cracking, and an alerting mechanism that lets you know if you're seeing unexpected traffic to the IMAP server ("never before seen" analysis).