Daniel, 1) yes I have that: popuser:x:36:15:Pop user:/var/spool/mail/popuser:/bin/false
which is fine for non-shell accounts. But as said, if someone snoops my pop session they will also have my login password. And yes, they could do the same with telnet. 2) This server does more than just pop so other services have to be on. 3) I have shadows but the pop users send details in plain-text, that's where the vulnerable is, not in the /etc/passwd file. 4) I am trying to avoid having to make the clients make any changes to their e-mail client, otherwise I would probably go with APOP which would give me the separation of pop-user and shell accounts I am trying to achieve. Dp. On 20 Sep 2004 at 10:18, Daniel Senie wrote: > At 09:52 AM 9/20/2004, Dermot Paikkos wrote: > >Hi, > > > >SYSTEM: Exim 4.42 MTA Qpopper 4.0.5 on Tru64 UNIX > > > >I am planning to move our email from a v. old server and popd to a > >fresh one. In the old configuration all the pop user where kept in a > >Plain text file 'POP' that was in a GECOS format. > > > >I was wondering if it is possible to maintain a similar > >configuration. I have reservations about added all pop users to the > >/etc/passwd's file as some pop users will have also have a login > >account. If all the pop users are in the passwd's file, if someone > >snoops my plain-text password during a pop session, that would be > >stealing my login password as well. > > First off, you can have accounts in /etc/passwd which do not have the > ability to log in. Make the shell /bin/nologin or /bin/false or > something like that. The users will be able to POP, but not get a > shell and log in. > > Second, don't leave telnet, ssh or FTP or other things open. Then they > can't log in. > > Third, you should be using shadow password setups. > > Fourth, implement TLS, and your passwords will be encrypted. Or use > APOP. Or both. > > > >I want to keep the client configuration as simple as possible so APOP > >seems like it might be cause the users some confusion. One aim is to > >make the transformation as transparent as possible so I don't want > >the client's to have to do no more that perhaps change the pop3 host > >or maybe I would do something with the DNS to resolve the hosts > >correctly. > > TLS is pretty simple to have users make use of. It's well supported by > client software. Don't expect a majority of your users to use it > though. > > > >Does anyone know if the above configuration is possible or have any > >strong feeling about what I am trying to do? > > > >Thanx. > >Dp. > > > > > > > > > >~~ > >Dermot Paikkos * [EMAIL PROTECTED] > >Network Administrator @ Science Photo Library > >Phone: 0207 432 1100 * Fax: 0207 286 8668 > > ~~ Dermot Paikkos * [EMAIL PROTECTED] Network Administrator @ Science Photo Library Phone: 0207 432 1100 * Fax: 0207 286 8668
