At 01:09 PM 03/01/2000 -0800, you wrote:
>Hello all,
>
>I have a security question.
>
>I'm a nazi about using ssh, scp etc., but just realized that if I use a POP
>server, I am sending out my password unencrypted every time I check my mail.
>
>I've been trying to just ssh to my server and read my mail via the command
>prompt, but I miss my nice mail clients on my Linux box, and having my mail
>saved locally.
>
>Here's the question: Are there any secure POP servers/clients, or can you
>use kerberos authorization or something to get around this?
Yes, you can use various method of secure connections.
as Greg mentioned, fetchmail/ssh is one way, but that's clunky.
found this info in a quick search on google for 'pop secure password'
[linux-security] Re: POP secure access??
Rogier Wolff ([EMAIL PROTECTED])
Mon, 20 Sep 1999 17:20:04 +0200 (MEST)
Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Crispin Cowan: "[linux-security] Re: POP secure access??"
Previous message: C.M. Wong: "[linux-security] POP secure access??"
Hi,
There have been several people to reply to this question. One "digest"
answer on the list. (I've deleted all properly indented comments
except in the first most complete message. I've also deleted one
"mime-encoded HTML" version of one replicant. That's normally a
"sorry, won't be accepted like that" offence. I'm in a good mood
today.)
-- Roger Wolff.
-----------------------------------------------------------------
From: "Michael H. Warfield" <[EMAIL PROTECTED]>
Subject: [linux-security] Re: POP secure access??
C.M. Wong enscribed thusly:
> Hi, I'm looking for a solution to access pop mails (sendmail in linux)
> securely. Most of the access would be from window clients (outlook express
> etc). Is there a way to encrypt the password (like ssh2) when authenticating
> with sendmail? Any info is greatly appereceiated. Thx.
Pop does not involve sendmail. Pop is a different protocol
used for retrieving E-Mail from a postoffice. Sendmail is used to receive
E-Mail (SMTP) into the server and postoffice.
If you want to encrypt pop or imap access, then I would suggest
using SSL encrypted pop (pop3s) or SSL encrypted imaps (imaps). You can
do this with your standard pop and imap servicers using an encrypting
wrapper such as sslproxy, edssl, or stunnel. These can be found by
following the links up at the OpenSSL site, <http://www.openssl.org>.
You're going to need OpenSSL to make it work as well (their the crypto
libraries).
Outlook Express, Netscape, and numerous other Windows clients
already have built-in support for SSL encrypted pop and/or SSL encrypted
imap. You just have to check the preferences box for "encrypt connections".
Examples of what I did to configure pop3s and imaps:
Add this to /etc/services:
imaps 993/tcp
pop3s 995/tcp
Set up this in /etc/inetd.conf:
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
imap stream tcp nowait root /usr/sbin/tcpd imapd
imaps stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p imap
pop3s stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p pop-3
Obviously, I'm using sslproxy. I've used edssl, and tried stunnel
but never got stunnel to work for me. Sslproxy is easy but doesn't support
some features like client side certificates like edssl does.
If you want to retrieve mail to a Linux client workstation using
SSL encrypted pop or imap, I highly recommend fetchmail-ssl. It's available
from the North American Cryptographic Archives <http://www.cryptography.org>
in the SSL subdirectory. I wrote the SSL patches for fetchmail and released
it (with Eric Raymonds consent) through the archives. Since Eric and I both
live in the "Land of the Freeh" (sic) we can't, ourselves, release it in
a more general form or distribution.
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
---------------------------------------------------------------------------
From: Frank Derichsweiler <[EMAIL PROTECTED]>
Try to use channel forwarding within ssh. Details are within the shh
docs. Unfortunately there is only a free ssh1 client for wind*** ...
HTH
Frank
---------------------------------------------------------------------------
From: Jan van Rensburg <[EMAIL PROTECTED]>
outlook express supports ssl encrypted pop (if i remember correctly).
so, you can use openssl to ssl-ify the pop server, or use a proxy like
the one at:
http://www.multimania.com/jonama/
ciao,
--
--jan van rensburg
Oh what a tangled web we weave when
we could've used perl but we used C.
---------------------------------------------------------------------------
From: ctor <[EMAIL PROTECTED]>
Using a POP-server with APOP support support sounds good.. APOP uses
timestamps and md5.. Don't have any pointers, but qpopper is one of those
deamons with APOP-support, IIRC.. I'm sure there are patches for most
daemons to support APOP..
Unfortunately, I don't think the clients here all have support :( .. The
only one I'm sure has support is Eudora.
~~~<*>~~~
Web: http://elemental.webservices.se/ ICQ: 3534707
PGP: `finger [EMAIL PROTECTED]` IRCnet: ctor
~~~<*>~~~
---------------------------------------------------------------------------
From: Andrew Otwell <[EMAIL PROTECTED]>
IMAP over SSL.
--
################################################
# Andrew T. Otwell, Network Admin - Perl Prog
# [EMAIL PROTECTED]
# fon 770.489.8238 || pgr 770.746.3370
# http://www.NetworkComputerz.com
################################################
---------------------------------------------------------------------------
From: Mark Lamourine <[EMAIL PROTECTED]>
On Mon, 20 Sep 1999, C.M. Wong wrote:
> Hi, I'm looking for a solution to access pop mails (sendmail in linux)
> securely. Most of the access would be from window clients (outlook express
> etc). Is there a way to encrypt the password (like ssh2) when authenticating
> with sendmail? Any info is greatly appereceiated. Thx.
I think some clarification is in order.
sendmail is an SMTP agent. You send mail using sendmail (Funny how that
works). SMTP is a mail transfer protocol. It moves mail from a
startpoint (the sender) to an end point (the recipient's mailbox)
Sending mail doesn't require a password (though maybe it should)
POP3 is remote a mail reading protocol. There is a separate daemon on a
separate TCP port (110 for POP3, 25 for SMTP)
Using POP3, the user identifies herself to the POP server with a username
and password. Under most default circumstances, the username and password
are send in cleartext.
There are 2 POP3 protocol extensions that allow authentication without
sending a password in cleartext. KPOP requires that the POP server user
the kerberos authentication. APOP uses a shared secret (the password) and
cryptographic hashing to prove the user's identity while avoiding
transmitting the secret itself over the wire.
Both the username and the retrieved email are still transmitted in the
clear, but since SMTP has trasmitted it from the sender to the user's
mailbox in clear already, that should not be a problem.
Your question implies that you want something like APOP.
I can't speak directly to the RH in.popd(1), but Qualcomm popper has APOP
capability. It's enabled using the popauth(1) command. The pop server
maintains a file of password hashes. To enable APOP, the user has to run
popauth on the pop server somehow to initialize the secret. The user then
has to tell the mail reading program to use APOP (Eudora can do this, I'm
not sure about others).
When the user authenticates, the client uses the pop server greeting
(which has a time stamp in it) and the user's hashed password to create a
new hash which is sent to the POP server. The pop server knows the
timestamp it sent, the user's secret and the algorithm the POP client used
to generate the transmitted hash. It runs the hash itself and compares
the results to the hash it received from the user. If they match, access
is granted.
Check out the POP3 RFC:
http://www.freenic.net/rfcs/rfc1900/rfc1939.txt
and the Qualcomm qpopper page
http://www.eudora.com/free/qpop.html
and the RedHat manpage for in.popd
- Mark
Mark Lamourine <[EMAIL PROTECTED]>
GTE Internetworking, Network Operations, Server Administration
3 Van DeGraff Drive, PO Box 3073, Burlington, MA 01803
Voice: +1 781 262 4306 Fax: +1 781 262 5508
---------------------------------------------------------------------------
From: Przemek Klosowski <[EMAIL PROTECTED]>
I assume that you are interested in retrieving mail (pop and imap)
rather than in sending mail (sendmail)---sendmail doesn't do per-user
authentication so no passwords are involved (unless you were concerned
about people sending passwords in the contents of their
messages). Having said that, there is SMTP over SSL (see below); I am
not sure which sendmail servers/clients use it.
There also exist SSL-encrypted POP and IMAP specs. Here's a list of services
that use SSL:
ssmtp 465/tcp # SMTP over SSL
snews 563/tcp # NNTP over SSL
ssl-ldap 636/tcp # LDAP over SSL
simap 993/tcp # IMAP over SSL
spop3 995/tcp # POP-3 over SSL
Netscape at least from version 4.51 up allows SSL-based IMAP
connections. I don't know about other mail clients.
przemek klosowski, Ph.D. <[EMAIL PROTECTED]> (301) 975-6249
NIST Center for Neutron Research (bldg. 235), E111
National Institute of Standards and Technology
Gaithersburg, MD 20899, USA
.. and for spam extractors, FCC Commisioners' email is:
[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED],[EMAIL PROTECTED]
---------------------------------------------------------------------------
From: "Brian E. Bothwell" <[EMAIL PROTECTED]>
Check out Stunnel, an SSL tunnel that can be used to encrypt POP,
IMAP, HTTP, and other TCP-based services. I use it to SSL-encrypt IMAP4
services for over 20 users and have had very few problems.
<http://mike.daewoo.com.pl/computer/stunnel/)
-Brian
--------------
Brian Bothwell [EMAIL PROTECTED]
System & Network Administrator http://www.wisdomtools.com
WisdomTools, Inc. 812-856-4200 #7
--------------
---------------------------------------------------------------------------
From: "Nick Gotsinas" <[EMAIL PROTECTED]>
http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
I heven't tried it yet but it looks like it works.
--
** [EMAIL PROTECTED] ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
Next message: Crispin Cowan: "[linux-security] Re: POP secure access??"
Previous message: C.M. Wong: "[linux-security] POP secure access??"
[Seth]AND THEN I FOUND THIS:
Next Previous Contents
2. The Basic Technique
This technique relies on a fundamental feature of ssh: port forwarding
There are many variations on this theme, which depend on your desired mail
setup. They all require ssh, which is available from http://www.ssh.fi/ and
mirrors.
RPMs are available at ftp://ftp.replay.com/pub/crypto/ and Debian packages
are available at ftp://non-us.debian.org/debian-non-US/ (and their
respective mirrors).
2.1 Setting up Port Forwarding
To start port forwarding, run the following command:
ssh -C -f popserver -L 11110:popserver:110 sleep 5
Let's take a closer look at that command:
ssh
The ssh binary itself, the magic program that does it all.
-C
This enables compression of the datastream. It's optional, but
usually useful, especially for dialup users.
-f
Once ssh has done authentication and established port forwarding,
fork to background so other programs can be run. Since we're just using the
port
forwarding features of ssh, we don't need a tty attached to it.
popserver
The POP server we're connecting to.
-L 11110:popserver:110
Forward local port 11110 to port 110 on the remote server popserver.
We use a high local port (11110) so any user can create forwardings.
sleep 5
After ssh has forked itself into the background, it runs a command.
We use sleep so that the connection is maintained for enough time for our
mail client to
setup a connection to the server. 5 seconds is usually sufficient
time for this to happen.
You can use most other options to ssh when appropriate. A common setting
may be a username, since it might be different on the POP server.
This requires sshd running on the remote server popserver. However, you do
not need to have an active shell account there. The time it takes to print
a message
``You cannot telnet here'' is enough to setup a connection.
2.2 Testing it out
Once you've figured out the details command to run to establish port
forwarding, you can try it. For example:
$ ssh -C -f msingh@popserver -L 11110:popserver:110 sleep 1000
popserver is the ol' POP server. My username on my local machine is manish
so I need to explicitly specify the username msingh. (If your local and remote
usernames are the same the msingh@ part is unnecessary.
Then it prints:
msingh@popserver's password:
And I type in my POP password (you may have different shell and POP
passwords though, so use your shell one). Now we're done! So we can try:
$ telnet localhost 11110
which should print something like:
QUALCOMM POP v3.33 ready.
Woohoo! It works! The data is sent out over the network encrypted, so the
only cleartext is over the loopback interfaces of my local box and the POP
server.
Next Previous Contents
