Re: pop3
On Sun, Jul 29, 2001 at 04:44:57PM -0700, Rob Hudson wrote:
Hello,
[cut - about secure pop3 daemon]
>
> I currently have fetchmail opening up a SSH tunnel, and get my mail
> via popa3d. I'll attach relavent scripts...
>
> /home/user/.fetchmailrc:
> -----------------------
> poll cogit8.org via localhost protocol pop3 port 12574:
> preconnect "ssh -C -f -L 12574:cogit8.org:110 cogit8.org sleep 10"
> password <your_password>;
>
> I guess that's it. This basically says,
>
> preconnect (do this before fetching mail)
> open a SSH channel from server cogit8.org port 110 to localhost port
> 12574 (arbitrary port number), wait 10 seconds for fetchmail to get in
> there.
>
> then,
> fetchmail on localhost port 12574.
This is unsecure - any localhost user can sniff your passwords.
---
kupson@temp: ~$ nc -l -p 60001 # choosen port number
+OK
USER kupson
PASS <mypassword>
QUIT
kupson@temp: ~$
---
Type "+OK" after fetchmail connects to netcat, then several times <ENTER> .
Ssh didn't notify fetchmail that it cannot forwand
remote port to localhost.
You can run fetchmail as user root and choose port number < 1024,
but it's even worse security problem.
Somebody know how do it better ?
[cut - rest]
Kupson
PS: Sorry for my english.
--
Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)
Reply to:
- Follow-Ups:
- Re: pop3
- From: "Stephen Hassard" <steve@hassard.net>
- Re: pop3
- From: Adam Olsen <rhamph@d2dc.net>
- Re: pop3
- From: Rob Hudson <rob@euglug.net>
- References:
- pop3
- From: "Moe Harley" <moeser@airswitch.net>
- Re: pop3
- From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Re: pop3
- From: Rob Hudson <rob@euglug.net>