Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: pzn writes: Package: wnpp Severity: wishlist * Package name: fakepop Version : 7 Upstream Author : Pedro Zorzenon Neto [EMAIL PROTECTED] * URL : http://vztech.com.br/software/fakepop/ * License : GPL Description : fake pop3 server to warn users that only pop3-ssl is available fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted. Why use fakepop: the main purpose of fakepop is to advice users that your server only accepts pop3-ssl and they have wrongly configured pop3 without ssl. You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. Politicians are the same all over. They promise to build a bridge where there is no river. Nikita Krushchev signature.asc Description: This is a digitally signed message part
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wed, Dec 01, 2004 at 12:12:12PM +0100, Petter Reinholdtsen wrote: [Steve McIntyre] So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? connection refused generate a support request from the user, and increases the load on the support organisation. The users will ask what the error message mean, and will have to get the explanations individually. A message poping up every time the user connect to the wrong service will normally change the users behaviour without any extra work for the support organisation. It appears that you have missed the point. One of the primary reasons why you would use pops rather than pop3 (I presume) is so that your authentication credentials aren't sent in the clear. This daemon allows the user to send their credentials en clair before telling them that they need to reconfigure their mail client. To quote the Guinness ad, Brilliant! - Matt signature.asc Description: Digital signature
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wed, Dec 01, 2004 at 05:17:33AM -0600, Ron Johnson wrote: On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: pzn writes: Package: wnpp Severity: wishlist * Package name: fakepop Version : 7 Upstream Author : Pedro Zorzenon Neto [EMAIL PROTECTED] * URL : http://vztech.com.br/software/fakepop/ * License : GPL Description : fake pop3 server to warn users that only pop3-ssl is available fakepop is a fake pop3 daemon. It returns always the same messages to all users, it does not care about usernames and passwords. All user/pass combinations are accepted. Why use fakepop: the main purpose of fakepop is to advice users that your server only accepts pop3-ssl and they have wrongly configured pop3 without ssl. You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 But the password have already been sent in cleartext, hasn't it ? -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wed, Dec 01, 2004 at 05:17:33AM -0600, Ron Johnson wrote: On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So I can put All your mail is belong to us in my /etc/fakepop/ directory, so that people know that their passwords *have* been successfully sent in the clear before being told to reconfigure their mail client? Well, *I'm* comforted. - Matt signature.asc Description: Digital signature
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
[Matthew Palmer] It appears that you have missed the point. No, I didn't miss Steve's point. I just give it less priority than other points.
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wed, 2004-12-01 at 22:25 +1100, Matthew Palmer wrote: On Wed, Dec 01, 2004 at 05:17:33AM -0600, Ron Johnson wrote: On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So I can put All your mail is belong to us in my /etc/fakepop/ directory, so that people know that their passwords *have* been successfully sent in the clear before being told to reconfigure their mail client? Well, *I'm* comforted. But since the password isn't valid, does it make much difference? For example, my pop3 password isn't the same as my GnuPG passphrase. -- - Ron Johnson, Jr. Jefferson, LA USA PGP Key ID 8834C06B I prefer encrypted mail. A busy mother makes slothful daughters. Unknown signature.asc Description: This is a digitally signed message part
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
Ron Johnson writes: On Wed, 2004-12-01 at 22:25 +1100, Matthew Palmer wrote: So I can put All your mail is belong to us in my /etc/fakepop/ directory, so that people know that their passwords *have* been successfully sent in the clear before being told to reconfigure their mail client? Well, *I'm* comforted. But since the password isn't valid, does it make much difference? For example, my pop3 password isn't the same as my GnuPG passphrase. Quite, but you're more clueful than most. The people seeing these messages will most likely have just attempted to log in using their normal username and password... -- Steve McIntyre, Cambridge, UK.[EMAIL PROTECTED] Armed with Valor: Centurion represents quality of Discipline, Honor, Integrity and Loyalty. Now you don't have to be a Caesar to concord the digital world while feeling safe and proud.
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
* Ron Johnson ([EMAIL PROTECTED]) [041201 12:40]: On Wed, 2004-12-01 at 22:25 +1100, Matthew Palmer wrote: On Wed, Dec 01, 2004 at 05:17:33AM -0600, Ron Johnson wrote: On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So I can put All your mail is belong to us in my /etc/fakepop/ directory, so that people know that their passwords *have* been successfully sent in the clear before being told to reconfigure their mail client? Well, *I'm* comforted. But since the password isn't valid, does it make much difference? For example, my pop3 password isn't the same as my GnuPG passphrase. Well, but the probability that users who mis-use pop3 instead of pop3-ssl use their pop3-ssl password for pop3 is quite high. Cheers, Andi -- http://home.arcor.de/andreas-barth/ PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
* Matthew Palmer | It appears that you have missed the point. One of the primary reasons why | you would use pops rather than pop3 (I presume) is so that your | authentication credentials aren't sent in the clear. This daemon allows the | user to send their credentials en clair before telling them that they need | to reconfigure their mail client. To quote the Guinness ad, Brilliant! They'll send them once in the clear, yes. Not each time, as they would with normal pop. Not perfect, but in many cases a reasonable tradeoff. -- Tollef Fog Heen,''`. UNIX is user friendly, it's just picky about who its friends are : :' : `. `' `-
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
Petter == Petter Reinholdtsen [EMAIL PROTECTED] writes: Petter connection refused generate a support request from the Petter user, and increases the load on the support organisation. Petter The users will ask what the error message mean, and will Petter have to get the explanations individually. A message Petter poping up every time the user connect to the wrong service Petter will normally change the users behaviour without any extra Petter work for the support organisation. This assumes that the client program will display the error message. IIRC, Some programs will just display invalid password regardless of what the server returns. This makes debugging any problems difficult. IIRC Outlook falls into this category. Even if the client returns the error message to the user, users frequently (read: close-to-always) are unable to *read* error messages (in my experience) and will interpret the error as invalid password regardless of what was actually displayed in the message box. These people won't be able to tell technical support any more then the very misleading Mail doesn't work as it doesn't like my password!. -- Brian May [EMAIL PROTECTED]
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wednesday 01 December 2004 04:59 pm, Brian May wrote: Petter == Petter Reinholdtsen [EMAIL PROTECTED] writes: Petter connection refused generate a support request from the Petter user, and increases the load on the support organisation. Petter The users will ask what the error message mean, and will Petter have to get the explanations individually. A message Petter poping up every time the user connect to the wrong service Petter will normally change the users behaviour without any extra Petter work for the support organisation. This assumes that the client program will display the error message. IIRC, Some programs will just display invalid password regardless of what the server returns. This makes debugging any problems difficult. IIRC Outlook falls into this category. Even if the client returns the error message to the user, users frequently (read: close-to-always) are unable to *read* error messages (in my experience) and will interpret the error as invalid password regardless of what was actually displayed in the message box. These people won't be able to tell technical support any more then the very misleading Mail doesn't work as it doesn't like my password!. -- Brian May [EMAIL PROTECTED] My understanding is that it allows the login given any username/password, and returns actual e-mail messages with the information. If the client program refuses to display the e-mail message, it won't be very useful with a real pop3 server. Josh
Re: Bug#283751: ITP: fakepop -- fake pop3 server to warn users that only pop3-ssl is available
On Wednesday 01 December 2004 06:46 am, Andreas Barth wrote: * Ron Johnson ([EMAIL PROTECTED]) [041201 12:40]: On Wed, 2004-12-01 at 22:25 +1100, Matthew Palmer wrote: On Wed, Dec 01, 2004 at 05:17:33AM -0600, Ron Johnson wrote: On Wed, 2004-12-01 at 11:04 +, Steve McIntyre wrote: So, let me get this straight - fakepop will allow people to log in (using their username and password) in the clear and THEN tell them that they should have used POP over SSL instead. Quite how is this better than connection refused? Read the description: You can customize messages in /etc/fakepop/ directory to teach your users how they should configure their mail clients to use pop3-ssl instead of pop3 So I can put All your mail is belong to us in my /etc/fakepop/ directory, so that people know that their passwords *have* been successfully sent in the clear before being told to reconfigure their mail client? Well, *I'm* comforted. But since the password isn't valid, does it make much difference? For example, my pop3 password isn't the same as my GnuPG passphrase. Well, but the probability that users who mis-use pop3 instead of pop3-ssl use their pop3-ssl password for pop3 is quite high. Cheers, Andi Your informational message that says how to connect to the pop3-ssl server could also suggest that the user change his or her password. Josh