hi ya
as ron says.... make sure you have a pop user name
and a different user shell account
- and make 100% sure the passwds is different on both of umm
better still to use secure pop3 and/or secure imap
or https for web-based email agents
c ya
alvin
http://www.Linux-Sec.net/Mail -- see secure pop3
On Tue, 5 Feb 2002, Ron DuFresne wrote:
>
> On Wed, 6 Feb 2002 [EMAIL PROTECTED] wrote:
>
> >
> > Thanks Darryl,
> >
> > so, may I sugest webmail access ? Is it possible to encript that traffic
> > wiht some https ? How can I advice secure email download without using VPNs
> > ? Is it necessaire to use digital certificates (I think it may be used but
> > I've never done) or is there other forms ?
> >
....
> >
> > Hi Daniel,
> >
> > POP3 authentication and message content is not encrypted in any way, so
> > any third party in the data path between the server and the client can
> > read both the emails and the account username/passwords.
> >
> > To decide whether that's OK or not, you have to consider what risk this
> > involves for your company.
> >
> > Someone sniffing the POP3 traffic will be able to:
> >
> > 1. Read all the email. Is there any data there that you or your company
> > would not want an unauthorised third party to read?
> >
> > 2. Capture the POP3 usernames and passwords. What can they do with
> > these? eg. If the CEO checks his mail, you (or anyone else) will be able
> > to get his username and password. Is that a worry?
> >
> > If your company is happy with these things, then they should be
> > confident about allowing POP3 access.
> >
> >
> > If the mail server is on the internal network, it means that when
> > someone breaks into it from the internet, they are on your internal
> > network and can do whatever they want. If they're on the DMZ, they
> > should be at least partly contained. The level of containment depends on
> > your firewall rules, and on what else is on the DMZ that they could get
> > to.
> >
>
> This is not totally correct, it depends upon how much access to the server
> supplying the pop3 accounts one has to. If one creates the user accounts
> so they only have access to remotely read their e-mails <i.e. give a
> shell of /dev/null>, unless they can also exploit the pop3 deamon, the
> game of sniffed usernames and passowrds limits others to only reading
> e-mails of those sniffed accounts. How exploitable the pop3 deamon is on
> a particular OS is another subject altogether, they have had issues on the
> past if I recall. Basically, it depends upon how much you trust others'
> setup of their routers and switches, and perhaps the ISP's your users are
> going to read from. It's those points that are going to be the primary
> sniffing vectors between two sites.
>
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
