On Wed, Apr 03, 2002 at 03:04:04PM -0500, Michael Caplan wrote: > Hello, > > I am new to POP3 servers and was hoping that folks on this list would be > able to offer some suggestions on security. > > I am interested in installing QPopper with TLS/SSL, as this seems like it > would be the most secure configuration with regards to user authentication > and message contents. I am vaguely familiar with APOP, Kerberos, and PAM. > Is their any advantage to running SSL/TLS QPopper with any of these other > protocols, or is SSL/TLS sufficient on it's own?
The point of TLS is to obscure the username/password exchange via encryption; Kerberos and APOP on the other hand provide alternative authentication methods which don't require the exchange of a password. I would view them as providing less security advantage in the TLS setting. PAM, as noted by the other reply, is just a programmatic interface to different authentication mechanisms, and not a protocol; it doesn't affect the visible exchange with the user/client. > One other concern I have with the general "stability" of QPopper itself in > terms of the developer turnaround time for dealing with new exploits. From > what I can tell from the Eudora site, QPopper 4.0.4 has been in Beta sine > September 2001. Is QPopper still being actively developed? Yes it definitely is. > It seems to me > that there are 2 significant security alerts that have yet to be resolved: > The 2048+ characters exploit > http://www.digitux.net/security/advisories.html?id=34&display=info, and the > 'popauth' Module Symlink Bug > http://securitytracker.com/alerts/2001/Dec/1003005.html Can I expect a > rapid turnaround time for bug resolution? IMHO "yes", as regards patches being available; "no" as regards new releases getting rolled out with those fixes. The popauth thing doesn't seem as serious to me in that most installations simply don't build or use popauth. Maybe that's a case of tunnel vision on my part. Nonetheless it should get addressed. I've already said my piece on the Digitux thing recently, so I don't want to beat that horse again. See the archive if you're curious. -- Clifton -- Clifton Royston -- LavaNet Systems Architect -- [EMAIL PROTECTED] "What do we need to make our world come alive? What does it take to make us sing? While we're waiting for the next one to arrive..." - Sisters of Mercy