Lotus notes has it's own mechinism for such e-mail access, and authentication. I'd still not allow the reading of mail to the inside directly, mirror the lotus stuff on a secured system on the DMZ, not allowing a login to the system and let users read from there. If I recall correctly, lotus has it's own encyrption and thus some admins allow full internal access via the notes external dmz server <are there still export restrictions on the level of notes encryption one can allow users outside the US to take "on the road" with them these days?>, but, seeing alot of the configurations gotcha's, you'd probably want a very good lotus admin to work in conjunction with the perimiter <screening router/fw> admin to develope any access beyond reading e-mail.
Thanks, Ron DuFresne On Wed, 6 Feb 2002 [EMAIL PROTECTED] wrote: > > My client uses Lotus Notes. > > Rgds, > Daniel Cen�culo > > > > > Darryl Luff > <[EMAIL PROTECTED] To: Ron DuFresne ><[EMAIL PROTECTED]> > u> cc: >[EMAIL PROTECTED], [EMAIL PROTECTED] > Sent by: Subject: Re: pop3 > firewalls-admin@list > s.gnac.net > > > 06-02-2002 05:37 > > > > > > > Ron DuFresne wrote: > ... > > This is not totally correct, it depends upon how much access to the > server > > supplying the pop3 accounts one has to. If one creates the user accounts > > so they only have access to remotely read their e-mails <i.e. give a > > shell of /dev/null>, unless they can also exploit the pop3 deamon, the > > game of sniffed usernames and passowrds limits others to only reading > > e-mails of those sniffed accounts. How exploitable the pop3 deamon is on > > I was thinking more of the situation where the POP3 server is actually > something like an exchange server, authenticating users against a > corporate account database (NT domain or whatever). This seems to be a > pretty common configuration. And in that case the sniffed POP3 > username/password is actually the user's corporate login > username/password. > > > a particular OS is another subject altogether, they have had issues on > the > > past if I recall. Basically, it depends upon how much you trust others' > > setup of their routers and switches, and perhaps the ISP's your users are > > going to read from. It's those points that are going to be the primary > > sniffing vectors between two sites. > > > > And internal users or admins playing around. Whether they have malicious > intentions or not, people seem to enjoy getting access to their mate's > (or boss's) passwords. Especially in a small site where the server is on > a user segment. > > > Darryl Luff > CDM Security Group > [EMAIL PROTECTED] > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
