On Fri, 7 Nov 2003, Chuck Yerkes wrote: > And I'd vote for "similar". popppassd happens to be > supported by eudora (funny, eh?). Nothing else supports it.
Actually there are a bunch of packages which do, including the squirrelmail web frontend. > It was just ok in 1992. It sends the passwords in the clear. > Over the wire. And that's not ok, if it ever was. Esp if it's > more than an "email password" (eg, you can log in with it). Pop3 uses cleartext passwords. There are SSL extensions circulating for it too. > People often use the same passwords in multiple places. If I get > your email password, I likely have the password you use in many > other places. If you use plaintext pop3, you're just as vulnerable anyway - and most people still do. Perspective is definitely needed on this - if unencrypted pop3 is in use then there is little extra danger posed by unencrypted poppassd - however I avoid running _any_ unencrypted services in this day and age.... > I'd use a web page (https) and a CGI to change the password that way. The CGI can be dangerous in itself. My recent solution (remember I helped develop the linux port) was to bind poppassd to the loopback port on the server, force users to use https Squirrelmail from that server and get them to change password that way. We (manawatu.net.nz) developed a small poppassd cgi interface around 8 years ago, but that code was crufty and probably contained buffer overflow vulnerbailities. Don't use it. AB
