POP3-Server recommendation
Hello List, since the upgrade to sarge, UW-pop3d won't allow Plain-text logins over a non-SSL connection anymore. I've tracked this down to a change in libc-client (which I think is sensible). unfortunately, though, some of my users need this functionality, so I'll have to swich the server. What I'm looking for is basically a drop-in replacement, i.e. a POP3-server that uses system accounts, /var/mail/user and doesn't need to be configured a lot. teapop, popa3d and mailutils-pop3d seem quite promising in this respect, what are your experiences? BTW, performance isn't too much of an issue, it's quite a big box and only few users. thanks, --Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: POP3-Server recommendation
On Thu, Jun 23, 2005 at 01:20:21PM +0200, Christopher Taylor wrote: Hello List, since the upgrade to sarge, UW-pop3d won't allow Plain-text logins over a non-SSL connection anymore. I've tracked this down to a change in libc-client (which I think is sensible). You can re-enable plaintext logins if you really want: $ cat /etc/c-client.cf I accept the risk set disable-plaintext nil $ Unfortunately, this is only half-way documented in /usr/share/doc/libc-client2002edebian/README.Debian, see #266689. I admit to not really have followed up yet to that bug, but my position still is that if the 'set disabled-plaintext nil' is documented, the other line required should be documented too. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: POP3-Server recommendation
Today I like to use courier+postfix+mysql because it's very simple to configure, but before this I had compiled teepop + ssl and it's a good choice in my opinion, it was more difficult to presents problems, or better, I had a problem once when I changed the maildir to another permission ans the messeges bounced. :) Em Qui, 2005-06-23 às 13:20 +0200, Christopher Taylor escreveu: Hello List, since the upgrade to sarge, UW-pop3d won't allow Plain-text logins over a non-SSL connection anymore. I've tracked this down to a change in libc-client (which I think is sensible). unfortunately, though, some of my users need this functionality, so I'll have to swich the server. What I'm looking for is basically a drop-in replacement, i.e. a POP3-server that uses system accounts, /var/mail/user and doesn't need to be configured a lot. teapop, popa3d and mailutils-pop3d seem quite promising in this respect, what are your experiences? BTW, performance isn't too much of an issue, it's quite a big box and only few users. thanks, --Chris -- Thiago Ribeiro Support Analist / Web Developer / Designer Fatea, Lorena - SP Tel: (12) 31532888 - Ramal 241 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: POP3-Server recommendation
Jeroen van Wolffelaar wrote: On Thu, Jun 23, 2005 at 01:20:21PM +0200, Christopher Taylor wrote: since the upgrade to sarge, UW-pop3d won't allow Plain-text logins over a non-SSL connection anymore. I've tracked this down to a change in libc-client (which I think is sensible). You can re-enable plaintext logins if you really want: thanks for the pointer! Unfortunately, this is only half-way documented in /usr/share/doc/libc-client2002edebian/README.Debian, see #266689. I agree, the I accept... line should be documented at least in README.Debian. A nice big debconf-warning on upgrade would have been nice, too ;) --Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
2005. június 14. 07:57, Radu Spineanu [EMAIL PROTECTED] - debian-security@lists.debian.org,: Ian Eure wrote: On Monday 13 June 2005 04:41 pm, LeVA wrote: I don't see why it would be helpful, unless you're trying to keep your info secret from a determined/resourceful attacker. But an attacker like that would probably get it anyways. I use TLS PLAIN, and encrypt/sign my messages with GPG for my business email, and I think that's plenty secure for my needs. That would maka it very easy for a sniffer running ettercap for example to do a MiTM attack. And of course the certificate is changed a little, but 80% of users ignore this change and click yes on whatever is shown just to read their emails, not knowing what this could lead to. Also an attacker could alter that data the server sends so that it doesn't advertise cram-md5 as an authentication method but this is more advanced. Doing a simple MiTM in ettercap is script kiddie friendly. What's this MiTM attact means? Daniel -- LeVA
Re: which pop3/imap secure method should I use?
What's this MiTM attact means? Man in The Middle is when someone between you and the remote system modifies packets on their way to the remote system or back, IIRC -- Fredrik Demonen Vold /* - Do not meddle in the affairs of dragons, for you are crunchy and good with ketchup. */
which pop3/imap secure method should I use?
Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. Thanks! Daniel -- LeVA -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
On Monday 13 June 2005 04:23 pm, LeVA wrote: Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. TLS and SSL are equally secure. TLS is easier on your system's resources; Courier-IMAP runs a seperate daemon for SSL connections, which you don't need if you use TLS. PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password file. Shouldn't be a risk if you're only using PLAIN over TLS. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: which pop3/imap secure method should I use?
2005. jnius 14. 01:36, Ian Eure [EMAIL PROTECTED] - debian-security@lists.debian.org,: On Monday 13 June 2005 04:23 pm, LeVA wrote: Hi! I've configured a courier-imap server with pop3(-ssl) and imap(-ssl) support. Now I can not decide which combination of methods is the most secure (first of all) and most usefull (lastly) for me. The courier server supports both SSL and TLS, and I can use PLAIN and CRAM-MD5 methods for authentication. My mail user agent supports all of the above, so I would really appreciate if someone could tell me which configuration is the most secure way. TLS and SSL are equally secure. TLS is easier on your system's resources; Courier-IMAP runs a seperate daemon for SSL connections, which you don't need if you use TLS. PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password file. Shouldn't be a risk if you're only using PLAIN over TLS. I understand that with TLS or SSL the clear text passwords are secured, so do you think that an SSL + CRAM-MD5 combination is just a usesell complication of the problem, and I should stay with the SSL(or TLS) + clear text auth or with the no connection encryption + CRAM-MD5 auth? Daniel -- LeVA
Re: which pop3/imap secure method should I use?
On Monday 13 June 2005 04:41 pm, LeVA wrote: 2005. jnius 14. 01:36, Ian Eure [EMAIL PROTECTED] PLAIN is easier to set up. IIRC, CRAM-MD5 requires a seperate password file. Shouldn't be a risk if you're only using PLAIN over TLS. I understand that with TLS or SSL the clear text passwords are secured, so do you think that an SSL + CRAM-MD5 combination is just a usesell complication of the problem, and I should stay with the SSL(or TLS) + clear text auth or with the no connection encryption + CRAM-MD5 auth? I don't see why it would be helpful, unless you're trying to keep your info secret from a determined/resourceful attacker. But an attacker like that would probably get it anyways. I use TLS PLAIN, and encrypt/sign my messages with GPG for my business email, and I think that's plenty secure for my needs.
Re: which pop3/imap secure method should I use?
Ian Eure wrote: On Monday 13 June 2005 04:41 pm, LeVA wrote: I don't see why it would be helpful, unless you're trying to keep your info secret from a determined/resourceful attacker. But an attacker like that would probably get it anyways. I use TLS PLAIN, and encrypt/sign my messages with GPG for my business email, and I think that's plenty secure for my needs. That would maka it very easy for a sniffer running ettercap for example to do a MiTM attack. And of course the certificate is changed a little, but 80% of users ignore this change and click yes on whatever is shown just to read their emails, not knowing what this could lead to. Also an attacker could alter that data the server sends so that it doesn't advertise cram-md5 as an authentication method but this is more advanced. Doing a simple MiTM in ettercap is script kiddie friendly. Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pop3-ssl with virtual users using popa3d HOWTO
Hi all, Sorry for cross-posting, but I think this might be of interest to both lists. The debian-security folks might remember my initial mail on the subject of setting up pop3-ssl with virtual users using popa3d[1]. At the time there appeared to be some interest from people implementing a setup very similar to mine. They might want to take a look at a brief overview of my current setup that I've written[2]. It includes more details than the description in my original mail and some improvements as well. Tim 1. http://lists.debian.org/debian-security/2002/debian-security-200212/msg00103.html 2. http://gene.wins.uva.nl/~talerven/software/add-popa3d-user/pop3-ssl-using-popa3d-HOWTO -- Tim van Erven [EMAIL PROTECTED] Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
pop3-ssl with virtual users using popa3d HOWTO
Hi all, Sorry for cross-posting, but I think this might be of interest to both lists. The debian-security folks might remember my initial mail on the subject of setting up pop3-ssl with virtual users using popa3d[1]. At the time there appeared to be some interest from people implementing a setup very similar to mine. They might want to take a look at a brief overview of my current setup that I've written[2]. It includes more details than the description in my original mail and some improvements as well. Tim 1. http://lists.debian.org/debian-security/2002/debian-security-200212/msg00103.html 2. http://gene.wins.uva.nl/~talerven/software/add-popa3d-user/pop3-ssl-using-popa3d-HOWTO -- Tim van Erven [EMAIL PROTECTED] Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
[francois@tourde.org (François TOURDE)] Re: securing pop3
Oops, sorry, first post in a bad list. Here's the correct one... ---BeginMessage--- Janus N. Tøndering [EMAIL PROTECTED] writes: Both /bin/false and /bin/true has been suggested. Any difference in using the two? Yes. /bin/true allow a ftp account, /bin/false no. It's an old style ftpaccess technique, but still running. -- Graduate students and most professors are no smarter than undergrads. They're just older. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ ---End Message--- -- Maybe we should think of this as one perfect week... where we found each other, and loved each other... and then let each other go before anyone had to seek professional help. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
[francois@tourde.org (François TOURDE)] Re: securing pop3
Oops, sorry, first post in a bad list. Here's the correct one... ---BeginMessage--- Janus N. Tøndering [EMAIL PROTECTED] writes: Both /bin/false and /bin/true has been suggested. Any difference in using the two? Yes. /bin/true allow a ftp account, /bin/false no. It's an old style ftpaccess technique, but still running. -- Graduate students and most professors are no smarter than undergrads. They're just older. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ ---End Message--- -- Maybe we should think of this as one perfect week... where we found each other, and loved each other... and then let each other go before anyone had to seek professional help. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: [personal] securing pop3
you don't have to switch smtp servers to do this the following link describes a method of setting up virtual domain for exim/imap http://www.tty1.net/virtual_domains_de.html I am fairly sure courier-pop uses the same authentication system SEan Gary MacDougall wrote: Not sure if you care, but qmail has vpopmail, which is a non-passwd file based authentation method. I've been using qmail now for about 3 years solid, and I have to say its probably the most secure, fast and reliable e-mail server out there. Combine qmail with vpopmail and qmailadmin and you've got a very flexible, fast and secure mail server with good tools for you and your users... vpopmail allows your to create virtual domains and users without having to account them on your linux box... g. Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
On Sat, 8 Feb 2003 15:23:33 +0100 Kristof Goossens [EMAIL PROTECTED] wrote: I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: Sincerely, -- vincenzo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
also sprach vincenzo [EMAIL PROTECTED] [2003.02.10.2156 +0100]: I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: or have a look at the falselogin package. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc msg08615/pgp0.pgp Description: PGP signature
Re: securing pop3
On Saturday 08 February 2003 15:23, Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
also sprach Mike Dresser [EMAIL PROTECTED] [2003.02.10.2226 +0100]: That lets you in just fine unfortunately. so put /bin/true for the shell. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc msg08619/pgp0.pgp Description: PGP signature
Re: securing pop3
On Mon, 10 Feb 2003 16:26:03 -0500 (EST) Mike Dresser [EMAIL PROTECTED] wrote: That lets you in just fine unfortunately. mdresser:x:1000:1000:Mike Dresser,,,:/home/mdresser: x:~# login x login: mdresser Password: Last login: Mon Feb 10 16:23:51 2003 on pts/1 Linux x 2.4.20 #1 SMP Sun Feb 2 22:20:23 EST 2003 i686 unknown You have mail. mdresser@x:~$ How can it be possible ? Doesn't the system normally check at the shell field value in /etc/passwd to look for the shell to use ? Is it using a default shell in the case where no shell value is specified ? -- vincenzo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
* Bernard Lheureux ([EMAIL PROTECTED]) [030210 14:07]: On Saturday 08 February 2003 15:23, Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? doozer:~% apt-cache policy stunnel stunnel: Installed: (none) Candidate: 3.22-1 Version Table: 3.22-1 0 700 http://non-us.debian.org testing/non-US/main Packages 600 http://non-us.debian.org unstable/non-US/main Packages good times, Vineet -- http://www.doorstop.net/ -- http://www.aclu.org/It's all about Freedom. msg08622/pgp0.pgp Description: PGP signature
Re: securing pop3
* vincenzo [EMAIL PROTECTED]: You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: /--[ man 5 passwd ]: | If this field is empty, it defaults to the value /bin/sh. \-- /bin/false would be a better solution. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
On Mon, 10/02/2003 10:53 +0100, Bernard Lheureux wrote: On Saturday 08 February 2003 15:23, Kristof Goossens wrote: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? It's in stable. You might want to recompile that package without pthread support though. I've heard about and experienced[1] bad things with it turned on. 1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=175844 -- Tim van Erven [EMAIL PROTECTED] Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
Quoting vincenzo [EMAIL PROTECTED]: On Mon, 10 Feb 2003 16:26:03 -0500 (EST) Mike Dresser [EMAIL PROTECTED] wrote: That lets you in just fine unfortunately. mdresser:x:1000:1000:Mike Dresser,,,:/home/mdresser: x:~# login x login: mdresser Password: Last login: Mon Feb 10 16:23:51 2003 on pts/1 Linux x 2.4.20 #1 SMP Sun Feb 2 22:20:23 EST 2003 i686 unknown You have mail. mdresser@x:~$ How can it be possible ? Doesn't the system normally check at the shell field value in /etc/passwd to look for the shell to use ? Is it using a default shell in the case where no shell value is specified ? quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. To change the default for new accounts you can edit /etc/adduser.conf -ross -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
On Monday 10 February 2003 23:20, martin f krafft wrote: also sprach Bernard Lheureux [EMAIL PROTECTED] [2003.02.10.2253 +0100]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? it's in non-US, so include the non-US mirrors in your sources.list! but i suggest you use courier-pop-ssl, courier-imap-ssl and postfix-tls for the SSL functionality. I use sendmail, not postfix and stunnel works very well under my actual Mandrake server but I plan to migrate to woody in a few weeks and I keep on searching the correct tools to migrate my server with THE SAME applications I use with Mandrake, maybe later I will pass to another ssl system to secure mail-transfers... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
* Bernard Lheureux [EMAIL PROTECTED] [10-02-03 22:53]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? ?? $ apt-cache show stunnel Package: stunnel Priority: optional Section: non-US Installed-Size: 220 Maintainer: Paolo Molaro [EMAIL PROTECTED] Architecture: i386 Version: 3.22-1 Depends: openssl, libc6 (= 2.2.4-4), libssl0.9.6, libwrap0, netbase Filename: pool/non-US/main/s/stunnel/stunnel_3.22-1_i386.deb Size: 59638 MD5sum: 1eec76ba161820c1900ce603fd103dff Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel. . stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
On Tue, 2003-02-11 at 19:30, Ross Currie wrote: quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. Both /bin/false and /bin/true has been suggested. Any difference in using the two? Janus -- Janus Nørgaard Tøndering email: janus(at)bananus.dk or janus(at)daimi.au.dk I have not failed. I've just found 10,000 ways that won't work. - Thomas Alva Edison (1847-1931) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: securing pop3
Janus N. Tøndering wrote: On Tue, 2003-02-11 at 19:30, Ross Currie wrote: quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. Both /bin/false and /bin/true has been suggested. Any difference in using the two? /bin/false returns false, while /bin/true returns true. If you want to generate an error to the client, use /bin/false, but if you want 'exit 0' behaviour, then use /bin/true. I, personally, use /bin/false. (you can also use /usr/bin/passwd, and an authenticated ssh session will prompt for the old password again, and then allow a user to change it) which is nice. -g -- Glen Mehn [EMAIL PROTECTED] if you ever swallow the universe, remember to spit the dragon back out.xx. --swan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [personal] securing pop3
you don't have to switch smtp servers to do this the following link describes a method of setting up virtual domain for exim/imap http://www.tty1.net/virtual_domains_de.html I am fairly sure courier-pop uses the same authentication system SEan Gary MacDougall wrote: Not sure if you care, but qmail has vpopmail, which is a non-passwd file based authentation method. I've been using qmail now for about 3 years solid, and I have to say its probably the most secure, fast and reliable e-mail server out there. Combine qmail with vpopmail and qmailadmin and you've got a very flexible, fast and secure mail server with good tools for you and your users... vpopmail allows your to create virtual domains and users without having to account them on your linux box... g. Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof
Re: securing pop3
On Sat, 8 Feb 2003 15:23:33 +0100 Kristof Goossens [EMAIL PROTECTED] wrote: I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: Sincerely, -- vincenzo
Re: securing pop3
also sprach vincenzo [EMAIL PROTECTED] [2003.02.10.2156 +0100]: I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: or have a look at the falselogin package. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpPJA58XKfQJ.pgp Description: PGP signature
Re: securing pop3
On Saturday 08 February 2003 15:23, Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/
Re: securing pop3
also sprach Mike Dresser [EMAIL PROTECTED] [2003.02.10.2226 +0100]: That lets you in just fine unfortunately. so put /bin/true for the shell. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpObvO6aOwEP.pgp Description: PGP signature
Re: securing pop3
On Mon, 10 Feb 2003 16:26:03 -0500 (EST) Mike Dresser [EMAIL PROTECTED] wrote: That lets you in just fine unfortunately. mdresser:x:1000:1000:Mike Dresser,,,:/home/mdresser: x:~# login x login: mdresser Password: Last login: Mon Feb 10 16:23:51 2003 on pts/1 Linux x 2.4.20 #1 SMP Sun Feb 2 22:20:23 EST 2003 i686 unknown You have mail. [EMAIL PROTECTED]:~$ How can it be possible ? Doesn't the system normally check at the shell field value in /etc/passwd to look for the shell to use ? Is it using a default shell in the case where no shell value is specified ? -- vincenzo
Re: securing pop3
also sprach Bernard Lheureux [EMAIL PROTECTED] [2003.02.10.2253 +0100]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? it's in non-US, so include the non-US mirrors in your sources.list! but i suggest you use courier-pop-ssl, courier-imap-ssl and postfix-tls for the SSL functionality. -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft [EMAIL PROTECTED] : :' :proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system NOTE: The pgp.net keyservers and their mirrors are broken! Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc pgpwdt7uFJEPj.pgp Description: PGP signature
Re: securing pop3
* Bernard Lheureux ([EMAIL PROTECTED]) [030210 14:07]: On Saturday 08 February 2003 15:23, Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? doozer:~% apt-cache policy stunnel stunnel: Installed: (none) Candidate: 3.22-1 Version Table: 3.22-1 0 700 http://non-us.debian.org testing/non-US/main Packages 600 http://non-us.debian.org unstable/non-US/main Packages good times, Vineet -- http://www.doorstop.net/ -- http://www.aclu.org/It's all about Freedom. pgpfmni7dIpx0.pgp Description: PGP signature
Re: securing pop3
* vincenzo [EMAIL PROTECTED]: You can simply add them in the /etc/passwd file without giving any shell at all, like that: leon:x:1050:100::/home/leon: /--[ man 5 passwd ]: | If this field is empty, it defaults to the value /bin/sh. \-- /bin/false would be a better solution.
Re: securing pop3
On Mon, 10/02/2003 10:53 +0100, Bernard Lheureux wrote: On Saturday 08 February 2003 15:23, Kristof Goossens wrote: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? It's in stable. You might want to recompile that package without pthread support though. I've heard about and experienced[1] bad things with it turned on. 1. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=175844 -- Tim van Erven [EMAIL PROTECTED] Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
Re: securing pop3
Quoting vincenzo [EMAIL PROTECTED]: On Mon, 10 Feb 2003 16:26:03 -0500 (EST) Mike Dresser [EMAIL PROTECTED] wrote: That lets you in just fine unfortunately. mdresser:x:1000:1000:Mike Dresser,,,:/home/mdresser: x:~# login x login: mdresser Password: Last login: Mon Feb 10 16:23:51 2003 on pts/1 Linux x 2.4.20 #1 SMP Sun Feb 2 22:20:23 EST 2003 i686 unknown You have mail. [EMAIL PROTECTED]:~$ How can it be possible ? Doesn't the system normally check at the shell field value in /etc/passwd to look for the shell to use ? Is it using a default shell in the case where no shell value is specified ? quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. To change the default for new accounts you can edit /etc/adduser.conf -ross
Re: securing pop3
On Monday 10 February 2003 23:20, martin f krafft wrote: also sprach Bernard Lheureux [EMAIL PROTECTED] [2003.02.10.2253 +0100]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? it's in non-US, so include the non-US mirrors in your sources.list! but i suggest you use courier-pop-ssl, courier-imap-ssl and postfix-tls for the SSL functionality. I use sendmail, not postfix and stunnel works very well under my actual Mandrake server but I plan to migrate to woody in a few weeks and I keep on searching the correct tools to migrate my server with THE SAME applications I use with Mandrake, maybe later I will pass to another ssl system to secure mail-transfers... -- (°- Bernard Lheureux Gestionnaire des MailingLists ML, TechML, LinuxML //\ http://www.bbsoft4.org/Mailinglists.htm ** MailTo:[EMAIL PROTECTED] v_/_ http://www.bbsoft4.org/ * http://www.portalinux.org/
Re: securing pop3
* Bernard Lheureux [EMAIL PROTECTED] [10-02-03 22:53]: About securing POP3, IMAP or SMTP, does someone know where I could find .deb packages of stunnel ? ?? $ apt-cache show stunnel Package: stunnel Priority: optional Section: non-US Installed-Size: 220 Maintainer: Paolo Molaro [EMAIL PROTECTED] Architecture: i386 Version: 3.22-1 Depends: openssl, libc6 (= 2.2.4-4), libssl0.9.6, libwrap0, netbase Filename: pool/non-US/main/s/stunnel/stunnel_3.22-1_i386.deb Size: 59638 MD5sum: 1eec76ba161820c1900ce603fd103dff Description: Universal SSL tunnel for network daemons The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware daemons running on your system you can easily setup them to communicate with clients over secure SSL channel. . stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.
Re: securing pop3
On Tue, 2003-02-11 at 19:30, Ross Currie wrote: quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. Both /bin/false and /bin/true has been suggested. Any difference in using the two? Janus -- Janus Nørgaard Tøndering email: janus(at)bananus.dk or janus(at)daimi.au.dk I have not failed. I've just found 10,000 ways that won't work. - Thomas Alva Edison (1847-1931)
Re: securing pop3
Janus N. Tøndering wrote: On Tue, 2003-02-11 at 19:30, Ross Currie wrote: quite right. You'll want to put something like /bin/false in your passwd file as the user's shell. Both /bin/false and /bin/true has been suggested. Any difference in using the two? /bin/false returns false, while /bin/true returns true. If you want to generate an error to the client, use /bin/false, but if you want 'exit 0' behaviour, then use /bin/true. I, personally, use /bin/false. (you can also use /usr/bin/passwd, and an authenticated ssh session will prompt for the old password again, and then allow a user to change it) which is nice. -g -- Glen Mehn [EMAIL PROTECTED] if you ever swallow the universe, remember to spit the dragon back out.xx.--swan
Re: [personal] securing pop3
Not sure if you care, but qmail has vpopmail, which is a non-passwd file based authentation method. I've been using qmail now for about 3 years solid, and I have to say its probably the most secure, fast and reliable e-mail server out there. Combine qmail with vpopmail and qmailadmin and you've got a very flexible, fast and secure mail server with good tools for you and your users... vpopmail allows your to create virtual domains and users without having to account them on your linux box... g. Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: [personal] securing pop3
Not sure if you care, but qmail has vpopmail, which is a non-passwd file based authentation method. I've been using qmail now for about 3 years solid, and I have to say its probably the most secure, fast and reliable e-mail server out there. Combine qmail with vpopmail and qmailadmin and you've got a very flexible, fast and secure mail server with good tools for you and your users... vpopmail allows your to create virtual domains and users without having to account them on your linux box... g. Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof
securing pop3
Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B msg08591/pgp0.pgp Description: PGP signature
Re: securing pop3
Kristof Goossens [EMAIL PROTECTED] writes: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... Use /bin/true as a shell script for these users. So they can use pop3 services, without having a shell account. I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? You can use a Virtual POP server, but I don't remember how you must configure the service for non shell users. You can also disable any ssh, telnet or other shell access services But globally the modification of /etc/passwd is not so bad :) -- You may be marching to the beat of a different drummer, but you're still in the parade. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
securing pop3
Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? thanks in advance, Kristof -- Digital fingerprint: F56F F987 0E0C AFF8 0B6D 7CA1 F152 E07D 72AF 337B pgpL5Yp1Y8mhu.pgp Description: PGP signature
Re: securing pop3
On Sat, Feb 08, 2003 at 03:23:33PM +0100, Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? Use Perdition, the pop/imap proxy. They should only know the machine that is running the proxy, and you can point it to whatever server you want, and they shouldn't know about it. Or, you can use one of the 'sealed servers' like Cyrus Tim -- Tim Sailer (at home) Coastal Internet, Inc. Network and Systems Operations PO Box 671 http://www.buoy.comRidge, NY 11961 [EMAIL PROTECTED]/[EMAIL PROTECTED] (631)924-3728 (888) 924-3728
Re: securing pop3
Kristof Goossens wrote: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? but it's the simplest way - /bin/false as a shell and they have only access to pop3 you need the users to have an account on the system, so smtp can receive mail for them afaik. GreetZ BIGHard -- () ascii |GIT d--- s: a--- C UL P+ L+++ E--- W+ N o-- K++ w--- O /\ ribbon|M- V- PS++ PE Y PGP t 5 X R tv-- b+ DI+ D+ G++ e- h! r+ y+ RLU#165711
Re: securing pop3
Kristof Goossens [EMAIL PROTECTED] writes: Hello all, I need to make a pop3 account on my server. I intend to work with ipop3d to provide secure pop3 service. Now I want to provide this service for only few people, and I don't want them to have an account on the system. Well, they can have a pop3 account, but no other access whatsoever... Use /bin/true as a shell script for these users. So they can use pop3 services, without having a shell account. I don 't like the idea of giving them an account and setting their shell to /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? You can use a Virtual POP server, but I don't remember how you must configure the service for non shell users. You can also disable any ssh, telnet or other shell access services But globally the modification of /etc/passwd is not so bad :) -- You may be marching to the beat of a different drummer, but you're still in the parade. -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: securing pop3
On Sat, 08/02/2003 03:52 +0100, Kuba Jakubik wrote: Kristof Goossens wrote: /bin/false. So my question is: Is it possible to create a pop3 account without needing to modify the /etc/passwd file? You should use a pop3 server that supports virtual users, like popa3d[1]. you need the users to have an account on the system, so smtp can receive mail for them afaik. Nou you don't, you just need to configure your MTA to accept mail for them. If you're using exim you could add the following director: virtualuser: driver = aliasfile transport = local_delivery file = /etc/vmail search_type = lsearch Then put the names for the users you want to receive mail for in /etc/vmail. You'd probably want to define a custom transport though. 1. http://www.openwall.com/popa3d/ -- Tim van Erven [EMAIL PROTECTED] Fingerprint: F6C9 61EE 242C C012 OpenPGP Key ID: 712CB811 36D5 BBF8 6310 D557 712C B811
SMTP and POP3 with ssl + login/password
Hi I need to setup a Debian Woody server with th following: * SMTP (i like sendmail) with: + incomming authentication SECURE to send an email with this server it MUST be necessary authentication with SSL * POP3 (i like qpopper) + outgoing authentication SECURE to receive an email from this server it MUST be necessary authentication with SSL Then, when a remote client, mainly windows clients :-(, and mainly with Outlook, must authenticate (with login and password) via SSL (secure conexion) to send and receive email. Where can i found info (howto's, Readme, so on) to configure the Debian server and/or SMTP and/or POP3 in that way? I also apreciate info/tips/tricks about configure most popular windows clients ;-) I have found several links, but NOT as explicit as i want. http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml http://www.ofb.net/~jheiss/sendmail/auth.shtml http://www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf Thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
But have you been able to authenticate via SSL to qmail? i patched qmail-smtpd but i could either authenticate, or make ssl connection. never the both at the same time. Statu Nascendi, Master of Own Disaster. - Original Message - From: Michael Marziani [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 3:36 PM Subject: RE: SMTP and POP3 with ssl + login/password This is just my opinion, but I much prefer qmail to sendmail. There's something to be said for using what you're familiar with, but coming from the sendmail camp there is no doubt in my mind that we made the right decision switching to qmail. There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Check it out: www.qmail.org. -Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
Hi Christian Schuerer-Waldheim!!! Google is your friend! Yes i know.. ;-) http://www.stunnel.org/patches/desc/syslog_danilche.html http://www.stunnel.org/download/stunnel/mike.daewoo.com.pl/computer/stunnel/stunnel.html http://www.octaldream.com/~scottm/talks/ssl/stunnel.html With this a solve the SSL problem, but with SMTP i do not have authentication. I need authentication + SSL (with/out stunnel/wrapper) to relay email. An example: A windows client with ms outlook send email (smtp) from my debian server, how i configure (sendmail/qmail) to accept email from this client This client has DINAMIC IP, so he needs login/password via SSL... Thank for your answer.. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
Kaixo Giacomo Mulas!!! I need authentication + SSL (with/out stunnel/wrapper) to relay email. What about one of the many MTAs which natively support tls? Off the top of my head I remember the exim-tls and postfix-tls packages, there surely are many others. I _think_ (but did not try) that even the woody sendmail package supports TLS. As to authentication, I know you can do it with exim-tls, which is the MTA I use and I know best, e.g. using certificates, and I would really be surprised if you could not do it with most of the others... Yes... Sendmail TLS I ask for docs to configure it/them Let me add a tiny comment: what about moving this discussion off the debian-security mailing list? It does seem a bit off-topic... I think it is NOt oftopic. SSL is security topic. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
Quoting Giacomo Mulas ([EMAIL PROTECTED]): What about one of the many MTAs which natively support tls? Not excessively difficult with any of the most-used MTAs, in any event. Some (Postfix, Qmail, Exim) require patching/extensions or a prepatched package. Some (Sendmail, Courier-MTA) do not. But you need to make or get and then sign appropriately an SSL cert, for any MTA -- and do necessary MTA configuration work. Qmail http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch Postfix http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/ Exim http://www.exim.org/exim-html-3.20/doc/html/spec_38.html Sendmail http://www.sendmail.org/~ca/email/starttls.html Courier-MTA http://www.courier-mta.org/ -- Cheers,Emacs is a good operating system, but I prefer Linux. Rick Moen [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
* Michael Marziani ([EMAIL PROTECTED]) wrote: There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Depends what your definition of security hacks is. http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html sendmail is by no means perfect, but neither is qmail. Thankfully, it is all Open Source so we can judge by ourselves. -- Scott Moynes http://www.icculus.org/openbox/ Computer science is as much about computers as astronomy is about telescopes. -- Dijkstra msg07330/pgp0.pgp Description: PGP signature
Re: SMTP and POP3 with ssl + login/password
* Rick Moen ([EMAIL PROTECTED]) wrote: FYI: ... Thanks, that was enlightening. -- Scott Moynes http://www.icculus.org/openbox/ Computer science is as much about computers as astronomy is about telescopes. -- Dijkstra msg07333/pgp0.pgp Description: PGP signature
Re: SMTP and POP3 with ssl + login/password
Quoting Scott Moynes ([EMAIL PROTECTED]): Thanks, that was enlightening. Yr. very welcome. I count it a major success when I can add clarity to a traditionally flame-shrouded subject. ;- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
SMTP and POP3 with ssl + login/password
Hi I need to setup a Debian Woody server with th following: * SMTP (i like sendmail) with: + incomming authentication SECURE to send an email with this server it MUST be necessary authentication with SSL * POP3 (i like qpopper) + outgoing authentication SECURE to receive an email from this server it MUST be necessary authentication with SSL Then, when a remote client, mainly windows clients :-(, and mainly with Outlook, must authenticate (with login and password) via SSL (secure conexion) to send and receive email. Where can i found info (howto's, Readme, so on) to configure the Debian server and/or SMTP and/or POP3 in that way? I also apreciate info/tips/tricks about configure most popular windows clients ;-) I have found several links, but NOT as explicit as i want. http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml http://www.ofb.net/~jheiss/sendmail/auth.shtml http://www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf Thanks in advance
SV: SMTP and POP3 with ssl + login/password
Try this. http://packages.debian.org/stable/non-us/sslwrap.html /Magnus Wiklander. -Ursprungligt meddelande- Från: Iñaki Martínez [mailto:[EMAIL PROTECTED] Skickat: den 10 oktober 2002 15:02 Till: debian-security@lists.debian.org Ämne: SMTP and POP3 with ssl + login/password Hi I need to setup a Debian Woody server with th following: * SMTP (i like sendmail) with: + incomming authentication SECURE to send an email with this server it MUST be necessary authentication with SSL * POP3 (i like qpopper) + outgoing authentication SECURE to receive an email from this server it MUST be necessary authentication with SSL Then, when a remote client, mainly windows clients :-(, and mainly with Outlook, must authenticate (with login and password) via SSL (secure conexion) to send and receive email. Where can i found info (howto's, Readme, so on) to configure the Debian server and/or SMTP and/or POP3 in that way? I also apreciate info/tips/tricks about configure most popular windows clients ;-) I have found several links, but NOT as explicit as i want. http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml http://www.ofb.net/~jheiss/sendmail/auth.shtml http://www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf Thanks in advance -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: SMTP and POP3 with ssl + login/password
This is just my opinion, but I much prefer qmail to sendmail. There's something to be said for using what you're familiar with, but coming from the sendmail camp there is no doubt in my mind that we made the right decision switching to qmail. There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Check it out: www.qmail.org. -Michael
Re: SMTP and POP3 with ssl + login/password
Hi! I need to setup a Debian Woody server with th following: * SMTP (i like sendmail) with: + incomming authentication SECURE to send an email with this server it MUST be necessary authentication with SSL * POP3 (i like qpopper) + outgoing authentication SECURE to receive an email from this server it MUST be necessary authentication with SSL Then, when a remote client, mainly windows clients :-(, and mainly with Outlook, must authenticate (with login and password) via SSL (secure conexion) to send and receive email. Where can i found info (howto's, Readme, so on) to configure the Debian server and/or SMTP and/or POP3 in that way? Google is your friend! http://www.google.at/search?hl=deie=UTF-8oe=UTF-8q=ssl+pop+stunnelbtnG=Google-Suchemeta= - http://www.stunnel.org/patches/desc/syslog_danilche.html http://www.stunnel.org/download/stunnel/mike.daewoo.com.pl/computer/stunnel/stunnel.html http://www.octaldream.com/~scottm/talks/ssl/stunnel.html HTH, Christian
Re: SV: SMTP and POP3 with ssl + login/password
Kaixo Magnus Wiklander!!! Try this. http://packages.debian.org/stable/non-us/sslwrap.html With this a solve the SSL problem, but with SMTP i do not have authentication. This also can be done with stunnel.. I need to setup a Debian Woody server with th following: * SMTP (i like sendmail) with: + incomming authentication SECURE to send an email with this server it MUST be necessary AUTHENTICATION with SSL Thanks for your fast answer..
Re: SMTP and POP3 with ssl + login/password
But have you been able to authenticate via SSL to qmail? i patched qmail-smtpd but i could either authenticate, or make ssl connection. never the both at the same time. Statu Nascendi, Master of Own Disaster. - Original Message - From: Michael Marziani [EMAIL PROTECTED] To: debian-security@lists.debian.org Sent: Thursday, October 10, 2002 3:36 PM Subject: RE: SMTP and POP3 with ssl + login/password This is just my opinion, but I much prefer qmail to sendmail. There's something to be said for using what you're familiar with, but coming from the sendmail camp there is no doubt in my mind that we made the right decision switching to qmail. There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Check it out: www.qmail.org. -Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
Hi Christian Schuerer-Waldheim!!! Google is your friend! Yes i know.. ;-) http://www.stunnel.org/patches/desc/syslog_danilche.html http://www.stunnel.org/download/stunnel/mike.daewoo.com.pl/computer/stunnel/stunnel.html http://www.octaldream.com/~scottm/talks/ssl/stunnel.html With this a solve the SSL problem, but with SMTP i do not have authentication. I need authentication + SSL (with/out stunnel/wrapper) to relay email. An example: A windows client with ms outlook send email (smtp) from my debian server, how i configure (sendmail/qmail) to accept email from this client This client has DINAMIC IP, so he needs login/password via SSL... Thank for your answer..
Re: SMTP and POP3 with ssl + login/password
Kaixo Statu Nascendi!!! But have you been able to authenticate via SSL to qmail? i patched qmail-smtpd but i could either authenticate, or make ssl connection. never the both at the same time. I prefere Sendmail, if not qmail...
Re: SMTP and POP3 with ssl + login/password
On Thu, 10 Oct 2002, Iñaki Martínez wrote: I need authentication + SSL (with/out stunnel/wrapper) to relay email. What about one of the many MTAs which natively support tls? Off the top of my head I remember the exim-tls and postfix-tls packages, there surely are many others. I _think_ (but did not try) that even the woody sendmail package supports TLS. As to authentication, I know you can do it with exim-tls, which is the MTA I use and I know best, e.g. using certificates, and I would really be surprised if you could not do it with most of the others... Let me add a tiny comment: what about moving this discussion off the debian-security mailing list? It does seem a bit off-topic... bye Giacomo -- _ Giacomo Mulas [EMAIL PROTECTED], [EMAIL PROTECTED] _ OSSERVATORIO ASTRONOMICO DI CAGLIARI Str. 54, Loc. Poggio dei Pini * 09012 Capoterra (CA) Tel.: +39 070 71180 248 Fax : +39 070 71180 222 _ When the storms are raging around you, stay right where you are (Freddy Mercury) _
Re: SMTP and POP3 with ssl + login/password
Kaixo Giacomo Mulas!!! I need authentication + SSL (with/out stunnel/wrapper) to relay email. What about one of the many MTAs which natively support tls? Off the top of my head I remember the exim-tls and postfix-tls packages, there surely are many others. I _think_ (but did not try) that even the woody sendmail package supports TLS. As to authentication, I know you can do it with exim-tls, which is the MTA I use and I know best, e.g. using certificates, and I would really be surprised if you could not do it with most of the others... Yes... Sendmail TLS I ask for docs to configure it/them Let me add a tiny comment: what about moving this discussion off the debian-security mailing list? It does seem a bit off-topic... I think it is NOt oftopic. SSL is security topic.
Re: SMTP and POP3 with ssl + login/password
Quoting Giacomo Mulas ([EMAIL PROTECTED]): What about one of the many MTAs which natively support tls? Not excessively difficult with any of the most-used MTAs, in any event. Some (Postfix, Qmail, Exim) require patching/extensions or a prepatched package. Some (Sendmail, Courier-MTA) do not. But you need to make or get and then sign appropriately an SSL cert, for any MTA -- and do necessary MTA configuration work. Qmail http://www.esat.kuleuven.ac.be/~vermeule/qmail/tls.patch Postfix http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/ Exim http://www.exim.org/exim-html-3.20/doc/html/spec_38.html Sendmail http://www.sendmail.org/~ca/email/starttls.html Courier-MTA http://www.courier-mta.org/ -- Cheers,Emacs is a good operating system, but I prefer Linux. Rick Moen [EMAIL PROTECTED]
Re: SV: SMTP and POP3 with ssl + login/password
On Thu 10 Oct 02 15:47, Iñaki Martínez wrote:
Kaixo Magnus Wiklander!!!
Try this.
http://packages.debian.org/stable/non-us/sslwrap.html
With this a solve the SSL problem, but with SMTP i do not have
authentication.
info exim.
You'll need to mess around with lookups and lsearches. Here's one that works
for me (Outlook):
login:
driver = plaintext
public_name = LOGIN
server_prompts = Username:: : Password::
server_condition = \
${if crypteq {$2} \
{${extract{1}{:} \
{${lookup {$1} lsearch {/etc/shadow} {$value} fail}} \
}} \
{yes}{no} }
server_set_id = $1
Some might curse, but I've set exim to run with group shadow. Gasp.
Regards,
Brian
--
Init Systems - Linux consulting
031 767-0139082 769-2320[EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
* Michael Marziani ([EMAIL PROTECTED]) wrote: There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Depends what your definition of security hacks is. http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html sendmail is by no means perfect, but neither is qmail. Thankfully, it is all Open Source so we can judge by ourselves. -- Scott Moynes http://www.icculus.org/openbox/ Computer science is as much about computers as astronomy is about telescopes. -- Dijkstra pgp3X8IPCST78.pgp Description: PGP signature
Re: SMTP and POP3 with ssl + login/password
Quoting Scott Moynes ([EMAIL PROTECTED]): * Michael Marziani ([EMAIL PROTECTED]) wrote: There have been no security hacks to qmail for over 3 years. Sendmail certainly can't say that. Depends what your definition of security hacks is. http://www-dt.e-technik.uni-dortmund.de/~ma/qmail-bugs.html FYI: One qmail fan (I'm -not- one) posted a rejoinder here: http://www.geocrawler.com/mail/msg.php3?msg_id=9506623list=513 Summary: Some items supposedly wrong, some supposedly don't matter, most are acknowledged to be actual qmail violations of RFCs and/or interferences with common practices (but that the qmail fan argues against). Ted Cabeen's comment in this space is hereby acknowedged -- about qmail avoiding many security bugs unless patched/extended, and then being subject to them. See also comments on qmail feature-poverty here: http://www.courier-mta.org/history.html Odd that qmail people characteristically compare only against sendmail. Even Dan: qmail is a modern SMTP server which [sic] makes sendmail obsolete... (near top of qmail home page). Aren't the more-natural security comparisons qmail/postfix (modular) and exim/sendmail/courierd (monolithic)? My attempt at relatively dispassionate MTA-comparison notes: http://linuxmafia.com/~rick/linux-info/mtas -- Cheers, Rick Moen FORTH heart if honk then. [EMAIL PROTECTED]
Re: SMTP and POP3 with ssl + login/password
* Rick Moen ([EMAIL PROTECTED]) wrote: FYI: ... Thanks, that was enlightening. -- Scott Moynes http://www.icculus.org/openbox/ Computer science is as much about computers as astronomy is about telescopes. -- Dijkstra pgpEbnR0C04Yr.pgp Description: PGP signature
Re: SMTP and POP3 with ssl + login/password
Quoting Scott Moynes ([EMAIL PROTECTED]): Thanks, that was enlightening. Yr. very welcome. I count it a major success when I can add clarity to a traditionally flame-shrouded subject. ;-
problem with pop3
Hi guys, I am having one problem with pop3, I am using ipop3d and its working fine to receive messges from my local clients(in my LAN). But when i try to get messages from external client(remote notebooks with dialup connection to Internet using normal ISP) the connection is too slow, i can't finished to receive all the mails. The strage thing is that problem just occours with some accounts and just in pop service because the smtp service is working fast and fine. I will try to install qpopper, any suggestion? tks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
problem with pop3
Hi guys, I am having one problem with pop3, I am using ipop3d and its working fine to receive messges from my local clients(in my LAN). But when i try to get messages from external client(remote notebooks with dialup connection to Internet using normal ISP) the connection is too slow, i can't finished to receive all the mails. The strage thing is that problem just occours with some accounts and just in pop service because the smtp service is working fast and fine. I will try to install qpopper, any suggestion? tks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure pop3
I have done this, and it is not hard. You have to connect SSH with local port forwarding on port 110. Then, set your mail client to use a pop3 server on localhost. SSH will forward the pop3 request to the connected machine and send your mail back along the same connection, as if the server were running on your own desktop machine. If you want this to be secure, you have to have port 110 blocked on your desktop with IP chains or the like. Otherwise, anyone else can address the pop3 server by addressing your desktop. Mike K. At 10:49 AM 8/2/01 -0300, you wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? thanks --ejg:wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure pop3
hi ya list of secure pop3 methodologies http://www.Linux-Sec.net/Mail/secure_pop3.txt c ya alvin On Thu, 2 Aug 2001, GARGIULO Eduardo INGDESI wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? thanks --ejg:wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure pop3
On Thu, Aug 02, 2001 at 10:49:53AM -0300, GARGIULO Eduardo INGDESI wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? man ssh, look at the -L option -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' Why is my rm *.o taking so long? - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
secure pop3
Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? thanks --ejg:wq!
Re: secure pop3
On Thu, Aug 02, 2001 at 10:49:53AM -0300, GARGIULO Eduardo INGDESI wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? man ssh, look at the -L option -- ,---. Name: Alson van der Meulen Personal:[EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' Why is my rm *.o taking so long? -
Re: secure pop3
I have done this, and it is not hard. You have to connect SSH with local port forwarding on port 110. Then, set your mail client to use a pop3 server on localhost. SSH will forward the pop3 request to the connected machine and send your mail back along the same connection, as if the server were running on your own desktop machine. If you want this to be secure, you have to have port 110 blocked on your desktop with IP chains or the like. Otherwise, anyone else can address the pop3 server by addressing your desktop. Mike K. At 10:49 AM 8/2/01 -0300, you wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? thanks --ejg:wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: secure pop3
* Michael Knoop ([EMAIL PROTECTED]) [010802 11:41]: I have done this, and it is not hard. You have to connect SSH with local port forwarding on port 110. Then, set your mail client to use a pop3 server on localhost. SSH will forward the pop3 request to the connected machine and send your mail back along the same connection, as if the server were running on your own desktop machine. If you want this to be secure, you have to have port 110 blocked on your desktop with IP chains or the like. Otherwise, anyone else can address the pop3 server by addressing your desktop. This is only the case if you use the -g option with ssh or have GatewayPorts yes in your config file. The default is (thankfully) no. Otherwise, the forwarded port is bound to the localhost interface only. NB: It still may not be a bad idea to put a packet filter on your desktop machine as well. Vineet pgpjtEvztBLPs.pgp Description: PGP signature
Re: secure pop3
,[ On Thu, Aug 02, at 12:20PM, Vineet Kumar wrote: ]-- | This is only the case if you use the -g option with ssh or have | GatewayPorts yes in your config file. The default is (thankfully) | no. Otherwise, the forwarded port is bound to the localhost interface | only. The default is localhost, unless you do something funky, dont worry about it. | NB: It still may not be a bad idea to put a packet filter on your | desktop machine as well. Ok, dont confuse the guy. If the only interface bound to is localhost, then you do not need any kind of packet filter on your external interface. Anyway, the ssh forwarding is what you want, just dont get more confused than you have to. | Vineet --gabe `[ End Quote ]--- -- It's not brave if you're not scared.
Re: secure pop3
hi ya list of secure pop3 methodologies http://www.Linux-Sec.net/Mail/secure_pop3.txt c ya alvin On Thu, 2 Aug 2001, GARGIULO Eduardo INGDESI wrote: Hi all. I have a smtp/pop3 server behind a firewall at work and I can login the server using ssh. The problem is that the port 110 is closed for external interface, so I can't get my email messages with pop3 clients. Is there any way to tunnel pop3 over ssh? How? I'm using that with X11 and it works ok. If it's not possible, how can I secure pop3? thanks --ejg:wq! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
Hello,
actually the most secure pop3 server we've tried at work was qpoper. The only
problem is it's too slow for a massive use (hosting service) and we had to
write our own one. But it's still quite good, and I'd advice you to use it
fred
On Sunday 29 July 2001 22:13, Moe Harley wrote:
Thought i'd ask what the general opinion is on the most secure pop3 daemon.
I need to install a pop3 damon on my debian machine, but I wanted to get a
good idea from you guys on which one to install.
--
A lagging elite is better than a fast lamer
neuro website: http://www.cyberneuneu.org
kheos net{works}:: http://www.kheos.net
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
I've you are using vim use: set textwidth=72 in your .vimrc to wrap te lines to a max of 72 char. Probably better not to do it that way, unless you're okay with Vim wrapping ALL documents you edit with it at 72 characters. I've got a line in my .muttrc that goes something like this: set editor = vim -c 'set tw=72' ...which does the trick, but I think there's a cleaner way to do it. -- Andrew Sione Taumoefolau [EMAIL PROTECTED] http://users.pipeline.com.au -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
On Mon, Jul 30, 2001 at 06:10:29PM +1000, Andrew Sione Taumoefolau wrote: I've you are using vim use: set textwidth=72 in your .vimrc to wrap te lines to a max of 72 char. Probably better not to do it that way, unless you're okay with Vim wrapping ALL documents you edit with it at 72 characters. I've got a line in my .muttrc that goes something like this: set editor = vim -c 'set tw=72' ...which does the trick, but I think there's a cleaner way to do it. Personally I have a seperate .vimrc file just for mutt and get mutt to use that... in .muttrc: set editor=vim -s ~/.vimmuttrc in .vimmuttrc: :syntax off :set textwidth=72 Cheers, Brett PGP signature
Re: Pop3 proxy
** On Jul 30, Tamas TEVESZ scribbled: On Mon, 30 Jul 2001, Emmanuel Lacour wrote: Is there anyone who used some of them. What is the best from a security view (I will not have a lot of connections on it). www.balabit.hu/products/Zorp/ http://www.balabit.hu/en/products/Zorp/ - that will work better marek -- Visit: http://caudium.net - the Caudium WebServer /* A completely unrelated fortune */ Bachelor: A man who chases women and never Mrs. one. PGP signature
Re: pop3
Thank you everyone, I value all the comments ive been receiving on the subject. :) However when I was referring to secure, i meant more along the lines of stable. I understand the pop3 protocol and know its limitations as far as plaintext passwords are concerned, and I fully intend to take appropriate measures to handle that. I'm more worried about people seeing my pop3 service as a potential door into my network. Which is why i'm looking for a package with a good track record as far as actual program security is concerned. I understand that everyone has their own vulnerabilities, so i'm not looking for the ultimate pop3 daemon. But its comforting to know if a preticular daemon is well examined, and when a vulnerability arises, that it gets patched quickly. Would anyone happen to have any suggestions as far as that goes? -Moe --- *numerous helpful and constructive comments snipped* --- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
I was just playing around securing one of my Exchange boxes, and found that coupling Stunnel (http://www.stunnel.org/) with your favourite mail server works really well (not that Exchange is my pick for a secure mail server) ... later, Steve - Original Message - From: Rafal Kupka [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, July 30, 2001 1:44 PM Subject: Re: pop3 On Sun, Jul 29, 2001 at 04:44:57PM -0700, Rob Hudson wrote: Hello, [cut - about secure pop3 daemon] I currently have fetchmail opening up a SSH tunnel, and get my mail via popa3d. I'll attach relavent scripts... /home/user/.fetchmailrc: --- poll cogit8.org via localhost protocol pop3 port 12574: preconnect ssh -C -f -L 12574:cogit8.org:110 cogit8.org sleep 10 password your_password; I guess that's it. This basically says, preconnect (do this before fetching mail) open a SSH channel from server cogit8.org port 110 to localhost port 12574 (arbitrary port number), wait 10 seconds for fetchmail to get in there. then, fetchmail on localhost port 12574. This is unsecure - any localhost user can sniff your passwords. --- kupson@temp: ~$ nc -l -p 60001 # choosen port number +OK USER kupson PASS mypassword QUIT kupson@temp: ~$ --- Type +OK after fetchmail connects to netcat, then several times ENTER . Ssh didn't notify fetchmail that it cannot forwand remote port to localhost. You can run fetchmail as user root and choose port number 1024, but it's even worse security problem. Somebody know how do it better ? [cut - rest] Kupson PS: Sorry for my english. -- Great software without the knowledge to run it is pretty useless. (Linux Gazette #1) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
On Mon, Jul 30, 2001 at 10:44:01PM +0200, Rafal Kupka wrote: On Sun, Jul 29, 2001 at 04:44:57PM -0700, Rob Hudson wrote: Hello, [cut - about secure pop3 daemon] I currently have fetchmail opening up a SSH tunnel, and get my mail via popa3d. I'll attach relavent scripts... /home/user/.fetchmailrc: --- poll cogit8.org via localhost protocol pop3 port 12574: preconnect ssh -C -f -L 12574:cogit8.org:110 cogit8.org sleep 10 password your_password; I guess that's it. This basically says, preconnect (do this before fetching mail) open a SSH channel from server cogit8.org port 110 to localhost port 12574 (arbitrary port number), wait 10 seconds for fetchmail to get in there. then, fetchmail on localhost port 12574. This is unsecure - any localhost user can sniff your passwords. --- kupson@temp: ~$ nc -l -p 60001 # choosen port number +OK USER kupson PASS mypassword QUIT kupson@temp: ~$ --- Type +OK after fetchmail connects to netcat, then several times ENTER . Ssh didn't notify fetchmail that it cannot forwand remote port to localhost. You can run fetchmail as user root and choose port number 1024, but it's even worse security problem. Somebody know how do it better ? I think the *best* way would be to have a ssh option that told it specifically to tunnel 1 (or more?) tcp connections, failing if it can't open it, and always waiting until they're finished before closing (you currently get an annoying warning if sleep returns before fetchmail finishes). There does seem to be such an option though :/ -- Adam Olsen, aka Rhamphoryncus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
On Mon, Jul 30, 2001 at 01:54:03PM -0700, Stephen Hassard wrote: I was just playing around securing one of my Exchange boxes, and found that coupling Stunnel (http://www.stunnel.org/) with your favourite mail server works really well (not that Exchange is my pick for a secure mail server) Indeed, I have been doing exactly that and it works great. I run Solar Designer's 'popa3d' on port 110 for those users which do not have clients supporting TLS, but those who do are encouraged to use the POP3/TLS running on port 995 which is really just an stunnel to port 110 on the same machine. Outlook Express and many other clients have built-in support for this so there is very little tech support overhead. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: pop3
[On 30 Jul, 2001, Andrew Sione Taumoefolau wrote in Re: pop3 ] PS. Please wrap your lines at 72-ish characters. Hmm. I've seen a lot of mutt users with un-wrapped lines. I would've expected that from a GUI mail reader like Mozilla, but not from a proper mailreader like mutt. Anyone know why? You have to set it manually, and a lot of people probably just don't know how. I've you are using vim use: set textwidth=72 in your .vimrc to wrap te lines to a max of 72 char. -- Andrew Sione Taumoefolau [EMAIL PROTECTED] http://users.pipeline.com.au/tonga/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- ~~~ Wouter van Gils -=- [EMAIL PROTECTED] http://the-construct.cx/ ~~~
Re: pop3
Hello,
actually the most secure pop3 server we've tried at work was qpoper. The only
problem is it's too slow for a massive use (hosting service) and we had to
write our own one. But it's still quite good, and I'd advice you to use it
fred
On Sunday 29 July 2001 22:13, Moe Harley wrote:
Thought i'd ask what the general opinion is on the most secure pop3 daemon.
I need to install a pop3 damon on my debian machine, but I wanted to get a
good idea from you guys on which one to install.
--
A lagging elite is better than a fast lamer
neuro website: http://www.cyberneuneu.org
kheos net{works}:: http://www.kheos.net
Re: pop3
I've you are using vim use: set textwidth=72 in your .vimrc to wrap te lines to a max of 72 char. Probably better not to do it that way, unless you're okay with Vim wrapping ALL documents you edit with it at 72 characters. I've got a line in my .muttrc that goes something like this: set editor = vim -c 'set tw=72' ...which does the trick, but I think there's a cleaner way to do it. -- Andrew Sione Taumoefolau [EMAIL PROTECTED] http://users.pipeline.com.au
Re: pop3
On Mon, Jul 30, 2001 at 06:10:29PM +1000, Andrew Sione Taumoefolau wrote: I've you are using vim use: set textwidth=72 in your .vimrc to wrap te lines to a max of 72 char. Probably better not to do it that way, unless you're okay with Vim wrapping ALL documents you edit with it at 72 characters. I've got a line in my .muttrc that goes something like this: set editor = vim -c 'set tw=72' ...which does the trick, but I think there's a cleaner way to do it. Personally I have a seperate .vimrc file just for mutt and get mutt to use that... in .muttrc: set editor=vim -s ~/.vimmuttrc in .vimmuttrc: :syntax off :set textwidth=72 Cheers, Brett pgpuETUinyM2j.pgp Description: PGP signature
