Re: securing pop3 sessions
llu wrote: [EMAIL PROTECTED] wrote: I'm using qmail 1.0.3 with the included qmail-pop3d. What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I know users will be reluctant to change their mua's. So what can I do on my side? Is there any way around this without expecting anything from the pop users? I use stunnel which doesn't require changes on qmail. Check this: http://security.fi.infn.it/tools/stunnel/index-en.html. I can share my configuration to anyone interested. LLU I have been using stunnel to add SSL capability to qmail-pop3d without making any changes to the latter. We know that qmail-pop3d listens on port 110. There is port 995 which is for POP3 with SSL. I configured stunnel to listen on port 995 accepting requests from SSL capable pop3 clients(I tested with Outlook 2000 and Mozilla M15/Linux), decrypts the request and hand it over to qmail-pop3d running on the same host at port 110. I also use tcpserver on both qmail-pop3d and stunnel and have them supervised(svscan). 1. qmail-pop3d startup script (/var/qmail/supervise/qmail-pop3d/run): #!/bin/sh exec env - PATH="/var/qmail/bin:$PATH" \ tcpserver 0 110 /var/qmail/bin/qmail-popup your.host.name.com \ /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir 21 2. stunnel startup script (/var/qmail/supervise/stunnel/run): #!/bin/sh exec env - PATH="/usr/local/sbin:$PATH" \ tcpserver -c100 -H -llocalhost.your.domain.com \ stunnel -d 995 -r localhost:110 That's it. But you need to build openssl and stunnel as follows: 3. openssl 0.9.5a (www.openssl.org) ./config make make test make install This installs opessl at /usr/local/ssl 4. stunnel-3.8 (http://mike.daewoo.com.pl/computer/stunnel) ./configure make make install cp stunnel.pem /usr/local/ssl/certs /usr/local/ssl/bin/c_rehash (Important!) This installs stunnel at /usr/local/sbin. And creates stunnel.pem which you must copy to /usr/local/ssl/certs as above(Note: use this stunnel.pem just for testing. You must create your own certificate and possibly have it signed by CA (such as Verisign)). You can also create and sign your own certificate using openssl. I did the above on both RedHat 6.2 and Solaris 8 Intel(requires correct PATH and LD_LIBRARY_PATH). Hope this helps. Any improvements or criticisms I would like to know. LLU
Re: securing pop3 sessions
On Thu, May 25, 2000 at 01:39:32AM -0400, llu wrote: [EMAIL PROTECTED] wrote: I'm using qmail 1.0.3 with the included qmail-pop3d. What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I know users will be reluctant to change their mua's. So what can I do on my side? Is there any way around this without expecting anything from the pop users? I use stunnel which doesn't require changes on qmail. Check this: http://security.fi.infn.it/tools/stunnel/index-en.html. I can share my configuration to anyone interested. Please do. That's how we keep this community alive! /magnus
Securing POP3 sessions
Using stunnel, you can add SSL dynamicly to your pop3 server... Just make sure you got an SSL capable mua.
Re: securing pop3 sessions
At 23:03 24.05.2000 -0400, you wrote: Len Budney writes: Doesn't anybody implement APOP?? Qualcomm's Eudora since long time ago, i.e. 3.06 (freeware), also 4.x Peter
Re: securing pop3 sessions
Magnus Bodin wrote: On Thu, May 25, 2000 at 01:39:32AM -0400, llu wrote: [EMAIL PROTECTED] wrote: I'm using qmail 1.0.3 with the included qmail-pop3d. What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I know users will be reluctant to change their mua's. So what can I do on my side? Is there any way around this without expecting anything from the pop users? I use stunnel which doesn't require changes on qmail. Check this: http://security.fi.infn.it/tools/stunnel/index-en.html. I can share my configuration to anyone interested. Please do. That's how we keep this community alive! I'll post it to this list when I get home late tonight. LLU /magnus
Re: securing pop3 sessions
[EMAIL PROTECTED] (Len Budney) writes: "Louis Theran" [EMAIL PROTECTED] wrote: [ using SSH forwarding to tunnel POP3 ] That's a dandy idea. However, once you do that it's not POP3 anymore. Nonsense. What exactly would you call the protocol running inside the tunnel if not POP3? ^L
Re: securing pop3 sessions
"Louis Theran" [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Len Budney) writes: [ using SSH forwarding to tunnel POP3 ] That's a dandy idea. However, once you do that it's not POP3 anymore. Nonsense. What exactly would you call the protocol running inside the tunnel if not POP3? Um, the protocol INSIDE the tunnel is POP3. But the protocol YOU MENTIONED is POP3+SSH. In particular, it cannot be implemented using standard POP3 clients from machines which don't have SSH installed. Which, please note, is what the original poster asked for. Len. -- Frugal Tip #30: Let a large corporation pay you big bucks to tattoo their company logo on your bald spot.
Re: securing pop3 sessions
Just my 2cents, I'm fetching emails via "fecthmail" thru SSH so yes you need OpenSSH installed in client and server side to have a secure channel. HTH On Thu, May 25, 2000 at 10:30:44PM -0400, Bro. Len Budney wrote: "Louis Theran" [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Len Budney) writes: [ using SSH forwarding to tunnel POP3 ] That's a dandy idea. However, once you do that it's not POP3 anymore. Nonsense. What exactly would you call the protocol running inside the tunnel if not POP3? Um, the protocol INSIDE the tunnel is POP3. But the protocol YOU MENTIONED is POP3+SSH. In particular, it cannot be implemented using standard POP3 clients from machines which don't have SSH installed. Which, please note, is what the original poster asked for. Len. -- Frugal Tip #30: Let a large corporation pay you big bucks to tattoo their company logo on your bald spot.
securing pop3 sessions
I'm using qmail 1.0.3 with the included qmail-pop3d. What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I know users will be reluctant to change their mua's. So what can I do on my side? Is there any way around this without expecting anything from the pop users?
Re: securing pop3 sessions
[EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Len. -- VENONA traffic was broken by the NSA because the Soviets reused their one time pads. -- Bruce Schneier
Re: securing pop3 sessions
It is possible to wrap POP3 with SSL, which most mailers support. Take a look at http://www.rickk.com/sslwrap/ --Adam On Wed, May 24, 2000 at 03:38:53PM -0400, Len Budney wrote: [EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Len. -- VENONA traffic was broken by the NSA because the Soviets reused their one time pads. -- Bruce Schneier
Re: securing pop3 sessions
[EMAIL PROTECTED] (Len Budney) writes: [EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. What about SSH connection forwarding? ^L
Re: securing pop3 sessions
I was reading a howto about that and from what I understand, that's a client side deal. Louis Theran wrote: [EMAIL PROTECTED] (Len Budney) writes: [EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. What about SSH connection forwarding? ^L -- i no naka no kawazu taikai wo shirazu
Re: securing pop3 sessions
"Louis Theran" [EMAIL PROTECTED] wrote: My original comment was merely pointing out that `there is no way' is correct only in a narrow sense. Right; namely, the sense in which the poster asked. He asked for a way to modify the server ONLY, and end up using POP3 without any passwords traveling en claire. I replied that THAT is impossible. Other things, of course, may or may not be impossible. However, if ``most clients'' actually support SSL, then I may have simply been wrong. (I'm not gonna quibble that POP3+SSL isn't POP3, because although it isn't, who cares?) The original poster needs to know the definition of ``most clients'', and probably will have to run two POP3 servers--a secure one for savvy clients, and an insecure one for stupid clients. Unless ``most clients'' is an inclusive enough class. Len. -- It will work, and it's probably secure; but I didn't design it to run setuid, so don't do it. -- Dan Bernstein
Re: securing pop3 sessions
From: "Len Budney" [EMAIL PROTECTED] Date: Wed, 24 May 2000 15:38:53 -0400 [EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Len. Why not require APOP? -- Bob Rogers
Re: securing pop3 sessions
Len Budney writes: [EMAIL PROTECTED] wrote: What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Doesn't anybody implement APOP?? -- -russ nelson [EMAIL PROTECTED] http://russnelson.com Crynwr sells support for free software | PGPok | "Ask not what your country 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
Re: securing pop3 sessions
Russell Nelson [EMAIL PROTECTED] writes: Len Budney writes: I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Doesn't anybody implement APOP?? Even better, there are innumerable different authentication mechanisms possible once you use SASL, including ones considerably better than APOP, and POP3 definitely supports SASL. You can definitely use POP3 without cleartext passwords. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/
Re: securing pop3 sessions
on 5/24/00 8:03 PM, Russell Nelson at [EMAIL PROTECTED] wrote: I'm afraid the best way is also the only way, and it doesn't exist. You cannot use POP3 without sending passwords in the clear. Doesn't anybody implement APOP?? The Gnome/Helixcode guys are working on an outlook type app that does APOP. Outlook Express for the mac does SSL and "secure password" but does not mention APOP in the docs or in the configuration. Pat
Re: securing pop3 sessions
[EMAIL PROTECTED] wrote: I'm using qmail 1.0.3 with the included qmail-pop3d. What's the best way on the server side to prevent passwords from being sent as clear text over the network for a pop3 session? I know users will be reluctant to change their mua's. So what can I do on my side? Is there any way around this without expecting anything from the pop users? I use stunnel which doesn't require changes on qmail. Check this: http://security.fi.infn.it/tools/stunnel/index-en.html. I can share my configuration to anyone interested. LLU