Re: pop3

To: <debian-security@lists.debian.org>
Subject: Re: pop3
From: "Stephen Hassard" <steve@hassard.net>
Date: Mon, 30 Jul 2001 13:54:03 -0700
Message-id: <[🔎] 001c01c11939$c41ab740$9464a8c0@shassardw2k>
References: <[🔎] 003001c1186a$e79842c0$0a01a8c0@5geeks.com> <[🔎] 20010729202437.A4186@mantis.autsens.localnet> <[🔎] 20010729164457.P2935@cogit8.org> <[🔎] 20010730224401.A2806@o35.ondraszek.ds.polsl.gliwice.pl>

I was just playing around securing one of my Exchange boxes, and found that
coupling Stunnel (http://www.stunnel.org/) with your favourite mail server
works really well (not that Exchange is my pick for a secure mail server)
...

later,
Steve

----- Original Message -----
From: "Rafal Kupka" <kupson@polsl.gliwice.pl>
To: <debian-security@lists.debian.org>
Sent: Monday, July 30, 2001 1:44 PM
Subject: Re: pop3


> On Sun, Jul 29, 2001 at 04:44:57PM -0700, Rob Hudson wrote:
> Hello,
>
> [cut - about secure pop3 daemon]
> >
> > I currently have fetchmail opening up a SSH tunnel, and get my mail
> > via popa3d.  I'll attach relavent scripts...
> >
> > /home/user/.fetchmailrc:
> > -----------------------
> > poll cogit8.org via localhost protocol pop3 port 12574:
> >   preconnect "ssh -C -f -L 12574:cogit8.org:110 cogit8.org sleep 10"
> >   password <your_password>;
> >
> > I guess that's it.  This basically says,
> >
> > preconnect (do this before fetching mail)
> > open a SSH channel from server cogit8.org port 110 to localhost port
> > 12574 (arbitrary port number), wait 10 seconds for fetchmail to get in
> > there.
> >
> > then,
> > fetchmail on localhost port 12574.
> This is unsecure - any localhost user can sniff your passwords.
> ---
> kupson@temp: ~$ nc -l -p 60001 # choosen port number
> +OK
> USER kupson
>
> PASS <mypassword>
>
> QUIT
>
> kupson@temp: ~$
> ---
> Type "+OK" after fetchmail connects to netcat, then several times <ENTER>
.
>
> Ssh didn't notify fetchmail that it cannot forwand
> remote port to localhost.
>
> You can run fetchmail as user root and choose port number < 1024,
> but it's even worse security problem.
>
> Somebody know how do it better ?
>
> [cut - rest]
>
> Kupson
> PS: Sorry for my english.
> --
> Great software without the knowledge to run it is pretty useless.
> (Linux Gazette #1)
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: pop3
  - From: Jim Breton <jamesb-debian@alongtheway.com>

References:
- pop3
  - From: "Moe Harley" <moeser@airswitch.net>
- Re: pop3
  - From: Pedro Zorzenon Neto <pzn@terra.com.br>
- Re: pop3
  - From: Rob Hudson <rob@euglug.net>
- Re: pop3
  - From: Rafal Kupka <kupson@polsl.gliwice.pl>

Prev by Date: Re: snort 's logs go to /var/log/auth.log for some reason?
Next by Date: Re: pop3
Previous by thread: Re: pop3
Next by thread: Re: pop3
Index(es):
- Date
- Thread