On Fri, Aug 25, 2000 at 01:47:14PM -0400, Rick Glunt wrote:
> In the qmail FAQ it metions "Security note: pop3d should only b
> used in a secure network...". Doe sthis mean it is not fit for a
> server on the Internet? I see it recommended in several places but
> never see anthing else abou tit being insecure.
The POP3 protocol is insecure because it uses a cleartext username and
password. The better ways to do it are:
- tunnel it in SSL or SSH
- use Kerberos authentication
- offer webmail service instead, protected by SSL
- only offer it inside the firewall
In corporate environments, it makes sense to restrict it to
inside the firewall, where no one would ever run a packet sniffer.
In home environments, it makes sense to use an SSL or SSH tunnel,
as you can easily control both the server and the clients.
-dsr-
