Thanks! I guess there is no DANE for POP3 is there? There was APOP in
some RFC too but that required that passwords be unencrypted on the
server side (and that was with MD5 I think).
The reason my parents like POP3s is that they do not require mail to be
left on the server, and to this I do agree. I personally fetchmail
(with checking against a TLS signature file) to an IMAP server that is
behind my gateway in RFC1918 land.
My parents had some emails coming from all over the world claiming that
our mail computer is not safe and I believe it is just FUD. Still I'd
like to do something about the POP3s server and give it pledge and
unveil. A POP3 server doesn't need to see much things other than
/var/mail directory and with the great imsg library the pledge could be
just at "stdio" when talking directly to the client. This intrigues me.
Regards,
-peter
On 10/30/18 16:33, Todd C. Miller wrote:
On Tue, 30 Oct 2018 09:32:45 -0600, "Todd C. Miller" wrote:
I don't think there is much interest in having a pop3 daemon in
base due to the use of plain-text passwords but if you want to check
out a copy the old one, you can do it like this:
cvs get -rOPENBSD_5_4 src/usr.sbin/popa3d
The DESIGN file in that directory describes the security model.
You can also find the upsteam sources for it at
https://www.openwall.com/popa3d/
- todd
