--On Tuesday, 11 July, 2000 21:05 +0200 Mikael Olsson
<[EMAIL PROTECTED]> wrote:
>
>
> [EMAIL PROTECTED] wrote:
>>
>> I have an exchange server. Users want to check email from home and on
>> the road.
>> What are the security cautions I should no about. Why wouldn't this be
>> a good idea if I have
>> file sharing on the same system? Are pop3 passwords sent in clear text?
>
> Yes, everything in POP3 is sent in plain text. Do this, and anyone can
> get hold of your DOMAIN users and passwords. Having this information,
> they could easily attach to any domain resources, if allowed by your
> firewall. (I hope your firewall blocks ports 135-139 inbound?)
there are POP3 authentication protocols, such as APOP and KPOP,
that don't send a clear text password. i don't know how many mail
systems, clients or servers, support them, and KPOP may be a bit
cumbersome if you don't want to set up Kerberos.
in at least some cases, servers that support APOP don't use the normal
system password, so even if somebody can do a dictionary attack on
the protocol exchange they may not get access to more than your mailbox.
-paul
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
