Hi,
I'm still working to lock down this system. Another vulnerability reported was pop and imap taking clear-text usernames and passwords. (Even over SSL, this is still considered a vulnerability, due to man-in-the-middle attacks, etc.)
So, in pop3d and imapd I set POP3AUTH="CRAM-MD5 CRAM-SHA1" - and restarted courier.
using openssl s_client -connect localhost:pop3s: [all sorts of key exchange and openssl information] +OK Hello there. capa +OK Here's what I can do: SASL CRAM-MD5 CRAM-SHA1 TOP USER LOGIN-DELAY 10 PIPELINING UIDL IMPLEMENTATION Courier Mail Server user [EMAIL PROTECTED] +OK Password required. pass blahblah +OK logged in.
Looking at pop3login.c and pop3dcapa.c, it looks like it is not possible to turn off "USER" authentication? Shouldn't there be a way to force SASL?
If, as always, I'm missing something, please let me know :)
Stephan Winokur "Il silenzio di un bacio vale pi� di mille parole." [EMAIL PROTECTED]
------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ courier-users mailing list [EMAIL PROTECTED] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
