Re: pop mail recommendations
On Friday, Dec 6, 2002, at 04:48 US/Pacific, Jeff AA wrote:
Second the recommendation for courier.
Remember that pop3 by default is insecure in that user/passwords
pass in the clear over the net - DON'T make your mail users real users
with shell access or you are opening a large number of doors and
out a nice big 'Hack here!' flag. A little tcpdump on your segment will
get you a nice list of all the users / passwords for all your pop users
use pop-ssl instead.
I've already taken care of login security with my standard security
policy. SSH is the only remote login daemon available on the server.
Password authentication is disabled. Any access to the box must be done
with key authentication. Accounts with pop access (if /etc/passwd is
used for authentication) will have a /bin/false shell, and a read-only
.ssh directory where no authorized-keys file exists. 98% of the usage
on this mail server will be my own accounts. I won't be hosting any
clients, but I will be hosting a couple of friends here and there. Of
course, that could change in the future, and clients may very well be
included in the plan. Because of this, the pop3 access with some time
of encrypted authentication (pops apop) is entirely for my own
convenience so as to prevent from having to setup an ssh port forward
each time I want to check my mail while away from home. I am not
concerned with the transparency of the messages themselves, as anything
sensitive will be encrypted with GPG. Qpopper definitely interests me,
but it hasn't developed enough of a secure history yet with version 4.
I think I'll keep an eye on it's development and perhaps use it at a
later time. For now, I'm still looking at popa3d, courier, and UofW, as
is recommended by some of you.
There is no character, howsoever good and fine, but it can be destroyed
by ridicule, howsoever poor and witless. Observe the ass, for
instance: his character is about perfect, he is the choicest spirit
among all the humbler animals, yet see what ridicule has brought him
to. Instead of feeling complimented when we are called an ass, we are
left in doubt.
-- Mark Twain, "Pudd'nhead Wilson's Calendar"