Re: pop mail recommendations
Ted Cabeen [EMAIL PROTECTED] writes: If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. s/would/should I haven't looked at the code of either sendmail or qpopper myself, but all people I trust to be competent on the issue say that sendmail (or bind to name another example) has a bloated, crappy codebase that is impossible to manage with regard to security. Security problems don't just happen, they depend on the way you program. If a piece of software has had security issues in the past due to the code being bloated, unstructured, and messy, chances are it will have problems in the future. If a program is well-written, nicely structured, lean, and concentrates on the specific task it is supposed to accomplish (sendmail.conf is said to be a turing-complete programming language ;) you have a much better chance of security. Ciao, Jens -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
Ted Cabeen [EMAIL PROTECTED] writes: If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. s/would/should I haven't looked at the code of either sendmail or qpopper myself, but all people I trust to be competent on the issue say that sendmail (or bind to name another example) has a bloated, crappy codebase that is impossible to manage with regard to security. Security problems don't just happen, they depend on the way you program. If a piece of software has had security issues in the past due to the code being bloated, unstructured, and messy, chances are it will have problems in the future. If a program is well-written, nicely structured, lean, and concentrates on the specific task it is supposed to accomplish (sendmail.conf is said to be a turing-complete programming language ;) you have a much better chance of security. Ciao, Jens
Re: pop mail recommendations
apt-get install qpopper Ok! ;-) Bye Ted Roby ha escrito: I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper Ok! ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. Sven Ted Roby ha escrito: I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED]] Sent: Friday 6 December 2002 11:51 To: [EMAIL PROTECTED] Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
cucipop -Original Message- From: DEFFONTAINES Vincent [mailto:[EMAIL PROTECTED]] Sent: 06 December 2002 01:29 To: [EMAIL PROTECTED] Subject: RE: pop mail recommendations I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED]] Sent: Friday 6 December 2002 11:51 To: [EMAIL PROTECTED] Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 03:31:31AM -0800, Ted Roby wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. Well you asked for pop3 not pop3s. For security and pop3s courier might be a good choice but it's quite complex. (IMHO) Qpopper does look interesting. Since version 4 it has been released as free open source (I'm compiling it now, just to take a look). I have experience with Eudora mail products, primarily EIMS running on MacOS, so I am familiar with their processes. On one of my machines I still use qpopper but the security history is a pain. Root eploits, DoS stuff and others ... On the other hand qpopper is easy to set up and fast engough for a small enviroment but I would definitly not call qpopper secure. Sven BTW: qpopper was OpenSource software from the beginning. They just split up a part of it for a commercial product but changed this strategy back to one opensource product for all quite fast. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
Hi all. Ted Roby wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. How about the combination of popa3d with postfix? Does this team up well? I thought of using qpopper, but I'm willing to think that over again if qpopper has major disadvanteges compared with popa3d. Bye, Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
Second the recommendation for courier. We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. We did compare with Cyrus, but that fell down on integration with exim. This is the list dpkg -l *courier* | grep ii shows: ii courier-authda 0.37.3-2.3 Courier Mail Server authentication daemon ii courier-authmy 0.37.3-2.3 MySQL Authentication for Courier Mail Server ii courier-base 0.37.3-2.3 Courier Mail Server Base System ii courier-imap 1.4.3-2.3 IMAP daemon with PAM and Maildir support ii courier-imap-s 1.4.3-3.1 IMAP daemon with SSL, PAM and Maildir suppor ii courier-pop0.37.3-2.3 POP3 daemon with PAM and Maildir support ii courier-pop-ss 0.37.3-3.1 POP3 daemon with SSL, PAM and Maildir suppor ii courier-ssl0.37.3-3.1 Courier Mail Server SSL Package Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff -Original Message- From: DEFFONTAINES Vincent [mailto:[EMAIL PROTECTED]] Sent: 06 December 2002 11:29 To: [EMAIL PROTECTED] Subject: RE: pop mail recommendations I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED]] Sent: Friday 6 December 2002 11:51 To: [EMAIL PROTECTED] Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted Roby wrote: | I have setup exim to host my domain's SMTP services. | | Would any of you care to make a recommendation? I personally like teapop. It is very fast and stable. Furthermore it supports authenticating users against postgresql or mysql tables. I would really recommend using sql tables for authentication. Like this the pop3 user base is seperated from the unix user base (imagine someone sniffing a unix password and you forgot to disable login for the pop3 users...) Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE98J7T1EXMUTKVE5URAvseAKCfAbB+U/Vqzc2y1WmS2cW8zr/CvwCfYrur yo8eXOXvuZ0ZCy9UEqIAO3g= =FrZJ -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, 06 Dec 2002 at 12:48:19PM -, Jeff AA wrote: We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. How do you handle virtual user password changes with this setup? Can the users change their own password? Phil -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #180: Wrong polarity of neutron flow -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
Why it did 'fell down .. with exim'? With a little bit more expense as usual cyrus 2.0.16 worked very fine with sendmail 8.12.2! regards, Christian -Original Message- From: Jeff AA [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 1:48 PM To: [EMAIL PROTECTED] Subject: RE: pop mail recommendations Second the recommendation for courier. We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. We did compare with Cyrus, but that fell down on integration with exim. ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
A little HTTPS PHP web page lets users change passwords, enter a vacation message or set up personal exim filters. We don't allow remote pop3 or imap - all is SSL wrapped. We run SquirrelMail through https for users who want a web client. The nicest thing IMO though, is that we only allow relay for authenticated smtp connections via TLS and have a system filter that automatically copies all outgoing mail into a Sent folder - we don't have to rely on buggy clients, and users that have several PCs/Laptops etc, can see ALL their Sent items in a single server-side imap folder. All our domains, users and aliases are read by exim from a local mysql instance. Using maildir format makes it easy for exim to filter into sub-folders etc. We can have shared folders with a single READ status for our tech team etc etc. Regards Jeff -Original Message- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED]] Sent: 06 December 2002 13:43 To: Jeff AA Cc: [EMAIL PROTECTED] Subject: Re: pop mail recommendations On Fri, 06 Dec 2002 at 12:48:19PM -, Jeff AA wrote: We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. How do you handle virtual user password changes with this setup? Can the users change their own password? Phil -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #180: Wrong polarity of neutron flow -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
In article [EMAIL PROTECTED] you wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: http://www.washington.edu/imap/ NOTE: The source is described as The Univerisity of Washing IMAP Server or UW IMAP. Rest assured--the source distribution includes a POP2, POP3 and IMAP daemon. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 10:12:22AM -0500, [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: http://www.washington.edu/imap/ AFAIR the history told us that it's nearly as secure or insecure as qpopper. Sven -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: pop mail recommendations
Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, December 06, 2002 4:12 PM To: [EMAIL PROTECTED] Subject: Re: pop mail recommendations ... I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: ... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 04:35:04PM +0100, Christian Storch wrote: Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Cyrus definitely rocks, but it can't be described as lightweight in any sense of the word. It's very powerful, and would be my first choice for running a very large site (university campus, for example), but most people don't need something quite so industrial strength. Having said that, I should also mention that I run a Cyrus 2.1 installation for about 8 people at work. It works great, but it's overkill. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html msg08050/pgp0.pgp Description: PGP signature
Re: pop mail recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], Sven Hoexter writes: On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper Ok! ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 Really? qpopper is a pretty solid these days, and has features that many of the other pop servers lack. Sure, it has had some problems in the past, but nothing root-level since 4.0. Like the cyrus recommendation, it may be a little bit of overkill for a small site, but all in all, it's a fine recommendation. If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE98OMxoayJfLoDSdIRAs+bAKCVeaCPx039y9dnpOwNCe45jJX5WQCgw7Gc bc2o34s0IAwIgek+4IzU+aE= =2zem -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Friday, Dec 6, 2002, at 04:48 US/Pacific, Jeff AA wrote: Second the recommendation for courier. Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff I've already taken care of login security with my standard security policy. SSH is the only remote login daemon available on the server. Password authentication is disabled. Any access to the box must be done with key authentication. Accounts with pop access (if /etc/passwd is used for authentication) will have a /bin/false shell, and a read-only .ssh directory where no authorized-keys file exists. 98% of the usage on this mail server will be my own accounts. I won't be hosting any clients, but I will be hosting a couple of friends here and there. Of course, that could change in the future, and clients may very well be included in the plan. Because of this, the pop3 access with some time of encrypted authentication (pops apop) is entirely for my own convenience so as to prevent from having to setup an ssh port forward each time I want to check my mail while away from home. I am not concerned with the transparency of the messages themselves, as anything sensitive will be encrypted with GPG. Qpopper definitely interests me, but it hasn't developed enough of a secure history yet with version 4. I think I'll keep an eye on it's development and perhaps use it at a later time. For now, I'm still looking at popa3d, courier, and UofW, as is recommended by some of you. --- There is no character, howsoever good and fine, but it can be destroyed by ridicule, howsoever poor and witless. Observe the ass, for instance: his character is about perfect, he is the choicest spirit among all the humbler animals, yet see what ridicule has brought him to. Instead of feeling complimented when we are called an ass, we are left in doubt. -- Mark Twain, Pudd'nhead Wilson's Calendar -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
Ted Roby wrote: On Friday, Dec 6, 2002, at 04:48 US/Pacific, Jeff AA wrote: Second the recommendation for courier. Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff I've already taken care of login security with my standard security policy. SSH is the only remote login daemon available on the server. Password authentication is disabled. Any access to the box must be done with key authentication. Accounts with pop access (if /etc/passwd is used for authentication) will have a /bin/false shell, and a read-only .ssh directory where no authorized-keys file exists. 98% of the usage on this mail server will be my own accounts. I won't be hosting any clients, but I will be hosting a couple of friends here and there. Of course, that could change in the future, and clients may very well be included in the plan. Because of this, the pop3 access with some time of encrypted authentication (pops apop) is entirely for my own convenience so as to prevent from having to setup an ssh port forward each time I want to check my mail while away from home. I am not concerned with the transparency of the messages themselves, as anything sensitive will be encrypted with GPG. Qpopper definitely interests me, but it hasn't developed enough of a secure history yet with version 4. I think I'll keep an eye on it's development and perhaps use it at a later time. For now, I'm still looking at popa3d, courier, and UofW, as is recommended by some of you. UW imap (which provides the POP access) has a pretty questionable security history, AFAIK. Investigating at securityfocus, etc. might be worth a look. -g -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
apt-get install qpopper Ok! ;-) Bye Ted Roby ha escrito: I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper Ok! ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. Sven Ted Roby ha escrito: I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation?
RE: pop mail recommendations
I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED] Sent: Friday 6 December 2002 11:51 To: debian-security@lists.debian.org Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper Ok! ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. Sven I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. Qpopper does look interesting. Since version 4 it has been released as free open source (I'm compiling it now, just to take a look). I have experience with Eudora mail products, primarily EIMS running on MacOS, so I am familiar with their processes. Thanks for the suggestions so far, and please feel free to give more. --- Random fortune: Next Friday will not be your lucky day. As a matter of fact, you don't have a lucky day this year.
RE: pop mail recommendations
cucipop -Original Message- From: DEFFONTAINES Vincent [mailto:[EMAIL PROTECTED] Sent: 06 December 2002 01:29 To: debian-security@lists.debian.org Subject: RE: pop mail recommendations I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED] Sent: Friday 6 December 2002 11:51 To: debian-security@lists.debian.org Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 03:31:31AM -0800, Ted Roby wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. Well you asked for pop3 not pop3s. For security and pop3s courier might be a good choice but it's quite complex. (IMHO) Qpopper does look interesting. Since version 4 it has been released as free open source (I'm compiling it now, just to take a look). I have experience with Eudora mail products, primarily EIMS running on MacOS, so I am familiar with their processes. On one of my machines I still use qpopper but the security history is a pain. Root eploits, DoS stuff and others ... On the other hand qpopper is easy to set up and fast engough for a small enviroment but I would definitly not call qpopper secure. Sven BTW: qpopper was OpenSource software from the beginning. They just split up a part of it for a commercial product but changed this strategy back to one opensource product for all quite fast.
Re: pop mail recommendations
Hi all. Ted Roby wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. How about the combination of popa3d with postfix? Does this team up well? I thought of using qpopper, but I'm willing to think that over again if qpopper has major disadvanteges compared with popa3d. Bye, Mike
RE: pop mail recommendations
Second the recommendation for courier. We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. We did compare with Cyrus, but that fell down on integration with exim. This is the list dpkg -l *courier* | grep ii shows: ii courier-authda 0.37.3-2.3 Courier Mail Server authentication daemon ii courier-authmy 0.37.3-2.3 MySQL Authentication for Courier Mail Server ii courier-base 0.37.3-2.3 Courier Mail Server Base System ii courier-imap 1.4.3-2.3 IMAP daemon with PAM and Maildir support ii courier-imap-s 1.4.3-3.1 IMAP daemon with SSL, PAM and Maildir suppor ii courier-pop0.37.3-2.3 POP3 daemon with PAM and Maildir support ii courier-pop-ss 0.37.3-3.1 POP3 daemon with SSL, PAM and Maildir suppor ii courier-ssl0.37.3-3.1 Courier Mail Server SSL Package Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff -Original Message- From: DEFFONTAINES Vincent [mailto:[EMAIL PROTECTED] Sent: 06 December 2002 11:29 To: debian-security@lists.debian.org Subject: RE: pop mail recommendations I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED] Sent: Friday 6 December 2002 11:51 To: debian-security@lists.debian.org Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Ted Roby wrote: | I have setup exim to host my domain's SMTP services. | | Would any of you care to make a recommendation? I personally like teapop. It is very fast and stable. Furthermore it supports authenticating users against postgresql or mysql tables. I would really recommend using sql tables for authentication. Like this the pop3 user base is seperated from the unix user base (imagine someone sniffing a unix password and you forgot to disable login for the pop3 users...) Marcel - -- Marcel Weber - [EMAIL PROTECTED] PGP/GPG Key: http://www.ncpro.com/GPG/mmweber-at-ncpro-com.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE98J7T1EXMUTKVE5URAvseAKCfAbB+U/Vqzc2y1WmS2cW8zr/CvwCfYrur yo8eXOXvuZ0ZCy9UEqIAO3g= =FrZJ -END PGP SIGNATURE-
Re: pop mail recommendations
On Fri, 06 Dec 2002 at 12:48:19PM -, Jeff AA wrote: We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. How do you handle virtual user password changes with this setup? Can the users change their own password? Phil -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #180: Wrong polarity of neutron flow
RE: pop mail recommendations
A little HTTPS PHP web page lets users change passwords, enter a vacation message or set up personal exim filters. We don't allow remote pop3 or imap - all is SSL wrapped. We run SquirrelMail through https for users who want a web client. The nicest thing IMO though, is that we only allow relay for authenticated smtp connections via TLS and have a system filter that automatically copies all outgoing mail into a Sent folder - we don't have to rely on buggy clients, and users that have several PCs/Laptops etc, can see ALL their Sent items in a single server-side imap folder. All our domains, users and aliases are read by exim from a local mysql instance. Using maildir format makes it easy for exim to filter into sub-folders etc. We can have shared folders with a single READ status for our tech team etc etc. Regards Jeff -Original Message- From: Phillip Hofmeister [mailto:[EMAIL PROTECTED] Sent: 06 December 2002 13:43 To: Jeff AA Cc: debian-security@lists.debian.org Subject: Re: pop mail recommendations On Fri, 06 Dec 2002 at 12:48:19PM -, Jeff AA wrote: We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. How do you handle virtual user password changes with this setup? Can the users change their own password? Phil -- Phil PGP/GPG Key: http://www.zionlth.org/~plhofmei/ wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import -- Excuse #180: Wrong polarity of neutron flow -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
In article [EMAIL PROTECTED] you wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: http://www.washington.edu/imap/ NOTE: The source is described as The Univerisity of Washing IMAP Server or UW IMAP. Rest assured--the source distribution includes a POP2, POP3 and IMAP daemon.
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 10:12:22AM -0500, [EMAIL PROTECTED] wrote: In article [EMAIL PROTECTED] you wrote: On Friday, Dec 6, 2002, at 03:18 US/Pacific, Sven Hoexter wrote: I suggest popa3d from http://www.openwall.com but I'm not sure if you can use it in standalone mode. I like the look of popa3d, but it does not support md5 or ssl transport. I know this is trivial protection, but every layer helps. I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: http://www.washington.edu/imap/ AFAIR the history told us that it's nearly as secure or insecure as qpopper. Sven
RE: pop mail recommendations
Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Christian -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, December 06, 2002 4:12 PM To: debian-security@lists.debian.org Subject: Re: pop mail recommendations ... I'd suggest The University of Washington's POP3 server. Which does support SSL. However I don't believe the Debian packages for potato included a daemon with SSL support. Not sure about Woody, Sarge or Sid though. I just built it from source. You can get the source here: ...
Re: pop mail recommendations
On Fri, Dec 06, 2002 at 04:35:04PM +0100, Christian Storch wrote: Look at brand new http://packages.debian.org/unstable/mail/cyrus21-imapd.html ssl included! Cyrus definitely rocks, but it can't be described as lightweight in any sense of the word. It's very powerful, and would be my first choice for running a very large site (university campus, for example), but most people don't need something quite so industrial strength. Having said that, I should also mention that I run a Cyrus 2.1 installation for about 8 people at work. It works great, but it's overkill. noah -- ___ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html pgpSLYEggjMsw.pgp Description: PGP signature
Re: pop mail recommendations
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Content-Type: text/plain; charset=us-ascii In message [EMAIL PROTECTED], Sven Hoexter writes: On Fri, Dec 06, 2002 at 12:07:10PM +0100, andres wrote: apt-get install qpopper Ok! ;-) *rotfl* Hope that wasn't a serious answer. apt-cache search pop3 Really? qpopper is a pretty solid these days, and has features that many of the other pop servers lack. Sure, it has had some problems in the past, but nothing root-level since 4.0. Like the cyrus recommendation, it may be a little bit of overkill for a small site, but all in all, it's a fine recommendation. If we disregarded software that has had problems in the past, sendmail would be dead and buried by now. - -- Ted Cabeen http://www.pobox.com/~secabeen[EMAIL PROTECTED] Check Website or Keyserver for PGP/GPG Key BA0349D2 [EMAIL PROTECTED] I have taken all knowledge to be my province. -F. Bacon [EMAIL PROTECTED] Human kind cannot bear very much reality.-T.S.Eliot[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.1 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE98OMxoayJfLoDSdIRAs+bAKCVeaCPx039y9dnpOwNCe45jJX5WQCgw7Gc bc2o34s0IAwIgek+4IzU+aE= =2zem -END PGP SIGNATURE-
Re: pop mail recommendations
Jeff AA wrote: Second the recommendation for courier. We have exim / courier [pop imap pops imaps] using maildir formats and controlled from mysql for virtual users accepting mail for about 20 domains. We did compare with Cyrus, but that fell down on integration with exim. This is the list dpkg -l *courier* | grep ii shows: ii courier-authda 0.37.3-2.3 Courier Mail Server authentication daemon ii courier-authmy 0.37.3-2.3 MySQL Authentication for Courier Mail Server ii courier-base 0.37.3-2.3 Courier Mail Server Base System ii courier-imap 1.4.3-2.3 IMAP daemon with PAM and Maildir support ii courier-imap-s 1.4.3-3.1 IMAP daemon with SSL, PAM and Maildir suppor ii courier-pop0.37.3-2.3 POP3 daemon with PAM and Maildir support ii courier-pop-ss 0.37.3-3.1 POP3 daemon with SSL, PAM and Maildir suppor ii courier-ssl0.37.3-3.1 Courier Mail Server SSL Package third the recco for courier/exim. lightweight, fast, reliable. You can also use sqwebmail for your webmail, which is written by the courier author(s), and uses the same libs to talk directly to the maildir folders. It'll allow users to login and change passwords (which may require sqwebmail to be setuid root if you authenticate off of /etc/passwd, which you likely don't want to do, but use postgres or something instead) ymmv, but this is definitely the way to go for me. -g Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff -Original Message- From: DEFFONTAINES Vincent [mailto:[EMAIL PROTECTED] Sent: 06 December 2002 11:29 To: debian-security@lists.debian.org Subject: RE: pop mail recommendations I personnally used courrier-pop which did good, but never did I compare it with others. -Original Message- From: Ted Roby [mailto:[EMAIL PROTECTED] Sent: Friday 6 December 2002 11:51 To: debian-security@lists.debian.org Subject: pop mail recommendations I have setup exim to host my domain's SMTP services. I am now looking for something to host POP3 on the same Debian potato box. I am asking the security list because that is my primary interest. I would like to find something stable, reasonably known to be secure, perhaps specifically recommended for debian servers, and can run as a stand-alone daemon. Would any of you care to make a recommendation? --- Random fortune: A long-forgotten loved one will appear soon. Buy the negatives at any price. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop mail recommendations
On Friday, Dec 6, 2002, at 04:48 US/Pacific, Jeff AA wrote: Second the recommendation for courier. Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff I've already taken care of login security with my standard security policy. SSH is the only remote login daemon available on the server. Password authentication is disabled. Any access to the box must be done with key authentication. Accounts with pop access (if /etc/passwd is used for authentication) will have a /bin/false shell, and a read-only .ssh directory where no authorized-keys file exists. 98% of the usage on this mail server will be my own accounts. I won't be hosting any clients, but I will be hosting a couple of friends here and there. Of course, that could change in the future, and clients may very well be included in the plan. Because of this, the pop3 access with some time of encrypted authentication (pops apop) is entirely for my own convenience so as to prevent from having to setup an ssh port forward each time I want to check my mail while away from home. I am not concerned with the transparency of the messages themselves, as anything sensitive will be encrypted with GPG. Qpopper definitely interests me, but it hasn't developed enough of a secure history yet with version 4. I think I'll keep an eye on it's development and perhaps use it at a later time. For now, I'm still looking at popa3d, courier, and UofW, as is recommended by some of you. --- There is no character, howsoever good and fine, but it can be destroyed by ridicule, howsoever poor and witless. Observe the ass, for instance: his character is about perfect, he is the choicest spirit among all the humbler animals, yet see what ridicule has brought him to. Instead of feeling complimented when we are called an ass, we are left in doubt. -- Mark Twain, Pudd'nhead Wilson's Calendar
Re: pop mail recommendations
Ted Roby wrote: On Friday, Dec 6, 2002, at 04:48 US/Pacific, Jeff AA wrote: Second the recommendation for courier. Remember that pop3 by default is insecure in that user/passwords pass in the clear over the net - DON'T make your mail users real users with shell access or you are opening a large number of doors and putting out a nice big 'Hack here!' flag. A little tcpdump on your segment will get you a nice list of all the users / passwords for all your pop users - use pop-ssl instead. regards Jeff I've already taken care of login security with my standard security policy. SSH is the only remote login daemon available on the server. Password authentication is disabled. Any access to the box must be done with key authentication. Accounts with pop access (if /etc/passwd is used for authentication) will have a /bin/false shell, and a read-only .ssh directory where no authorized-keys file exists. 98% of the usage on this mail server will be my own accounts. I won't be hosting any clients, but I will be hosting a couple of friends here and there. Of course, that could change in the future, and clients may very well be included in the plan. Because of this, the pop3 access with some time of encrypted authentication (pops apop) is entirely for my own convenience so as to prevent from having to setup an ssh port forward each time I want to check my mail while away from home. I am not concerned with the transparency of the messages themselves, as anything sensitive will be encrypted with GPG. Qpopper definitely interests me, but it hasn't developed enough of a secure history yet with version 4. I think I'll keep an eye on it's development and perhaps use it at a later time. For now, I'm still looking at popa3d, courier, and UofW, as is recommended by some of you. UW imap (which provides the POP access) has a pretty questionable security history, AFAIK. Investigating at securityfocus, etc. might be worth a look. -g
