Re: pop3
On Mon, Jul 30, 2001 at 10:44:01PM +0200, Rafal Kupka wrote:
> On Sun, Jul 29, 2001 at 04:44:57PM -0700, Rob Hudson wrote:
> Hello,
>
> [cut - about secure pop3 daemon]
> >
> > I currently have fetchmail opening up a SSH tunnel, and get my mail
> > via popa3d. I'll attach relavent scripts...
> >
> > /home/user/.fetchmailrc:
> > -----------------------
> > poll cogit8.org via localhost protocol pop3 port 12574:
> > preconnect "ssh -C -f -L 12574:cogit8.org:110 cogit8.org sleep 10"
> > password <your_password>;
> >
> > I guess that's it. This basically says,
> >
> > preconnect (do this before fetching mail)
> > open a SSH channel from server cogit8.org port 110 to localhost port
> > 12574 (arbitrary port number), wait 10 seconds for fetchmail to get in
> > there.
> >
> > then,
> > fetchmail on localhost port 12574.
> This is unsecure - any localhost user can sniff your passwords.
> ---
> kupson@temp: ~$ nc -l -p 60001 # choosen port number
> +OK
> USER kupson
>
> PASS <mypassword>
>
> QUIT
>
> kupson@temp: ~$
> ---
> Type "+OK" after fetchmail connects to netcat, then several times <ENTER> .
>
> Ssh didn't notify fetchmail that it cannot forwand
> remote port to localhost.
>
> You can run fetchmail as user root and choose port number < 1024,
> but it's even worse security problem.
>
> Somebody know how do it better ?
I think the *best* way would be to have a ssh option that told it
specifically to tunnel 1 (or more?) tcp connections, failing if it
can't open it, and always waiting until they're finished before
closing (you currently get an annoying warning if sleep returns before
fetchmail finishes). There does seem to be such an option though :/
--
Adam Olsen, aka Rhamphoryncus
Reply to:
- References:
- pop3
- From: "Moe Harley" <moeser@airswitch.net>
- Re: pop3
- From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Re: pop3
- From: Rob Hudson <rob@euglug.net>
- Re: pop3
- From: Rafal Kupka <kupson@polsl.gliwice.pl>