P Ferwerda wrote: > On a RAQ4 is there a way to set things up so that when someone is > attempting to get mail via POP3 that the password being sent on > the wire is not in clear text?
You cannot control whether or not the user sends a password in clear text; you can only control whether or not you accept it. One way to require passwords not be sent in clear-text is to set APOP. The downside is that the user MUST use a client that supports APOP to receive email. This must be turned on/off by domain, not by individual users. Another way would be to create a tunnel through SSH. Most SSH clients (I use Tera Term Pro) have a way to do this. The disadvantage is that the user must set his email program to check mail on his local machine (usually "localhost" works even on a Windows machine) and be certain to be running SSH each time s/he checks mail. > The primary site has SSL turned on for the admin port but it isn't > clear to me how to prevent the checks for email from compromising > the password (especially if the email account is the admin account). It requires some work on behalf of the "administrator". The only way you (as the system operator) can control it is by enforcing APOP; if you do you might lose customers and/or increase your support costs as customers have to figure out how to use particular mail clients instead of the ones they like. Individual site administrators can implment it on their own (as long as you've got ssh on the RaQ) by using an SSH tunnel. Perhaps the easiest way to control it is to NOT allow direct pickup of email from the admin account, but require it be forwarded to a non-privileged account. Jeff -- Jeff Lasman <[EMAIL PROTECTED]> Linux and Cobalt/Sun/RaQ Consulting nobaloney.net P. O. Box 52672, Riverside, CA 92517 voice: (909) 778-9980 * fax: (702) 548-9484 _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
