[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

POP3 daemon selection



I've been using qpopper up until now, for no real reason, other than that's
the first POP3 server I've tried.

My needs, however, have recently changed, so I'm exploring other POP3
servers, and would like some advice.

First, security is important.  I've read of a few root exploits in qpopper
recently (presumably fixed in the latest versions?).

Anyway... my (somewhat unusual) situation at this point is as follows:

  - Some customers have full Internet access, some customers have ONLY
    e-mail access
  - All users are authenticated w/ cistron radius out of /etc/passwd
  - Mail-only customers are all members of group "email", so when dialing
    in, are given a private IP address (192.168.x.x) by the radius server to
    prevent access to all but my local POP3 and SMTP servers
  - Full-access customers have shell accounts, Mail-only customers do not
    have shell accounts.  To prevent shell access for the mail-only
    customers, I have changed their shell to /bin/false (a non-existant
    file, not listed in /etc/shells), and changed their home directory to
    /email (a non-existant directory).

  This setup all worked fine until I started utilizing the POP bulliten
feature of qpopper, and qpopper needed to start storing .popbull files in
each user's home directory.  Without a valid home directory, qpopper cannot
store a .popbull file in the mail-only users' home directories.  As a
result, these customers receive every pop bulliten again EVERY time they
check their mail.

  The solution I have devised for this problem is to go ahead and create
home directories for the mail-only customers, but not give the individual
users read or write permissions to the directory.  Then, hacking the qpopper
source to run setgid "mailonly", and then set all mail-only customers' home
directories as read- and write-able by group "mailonly," thus allowing
qpopper the ability to store the needed .popbull file, but not allowing
mail-only customers access to the system.

  Now... my question:  Is this solution pheasable and secure?

  Or better yet... is there a more "clean" way of accomplishing what I need,
either with qpopper or another POP3 daemon?

  And lastly... Is there another POP3 daemon I should consider anyway? 
Either for security or configurability?

  Thanks for any advice you can offer!


--
The Chico, California, City Council enacted a ban on nuclear weapons,
setting a $500 fine for anyone detonating one within city limits.
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Jonathan Hall  *  jonhall@futureks.net  *  PGP public key available
 Systems Admin, Future Internet Services; Goessel, KS * (316) 367-2487
         http://www.futureks.net  *  PGP Key ID: FE 00 FD 51
                  -=  Running Debian GNU/Linux  =-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Reply to: