[TriLUG] securing pop3 transactions
Rodent of Unusual Size
Ken.Coar at Golux.Com
Tue Dec 10 14:38:07 EST 2002
'k, the time has come when i have a couple of cylces available
to work on this..
i have a number of people using one of my systems for pop mail.
i would like to configure the pop3 service to use tls (or
whatever other mechanism works) to encrypt the exchange and
conceal the credentials.
the server is set up with the 'popauth' hack, meaning that
users need to authenticate (typically by checking for new
mail) before being able to send mail through the server.
however, that's a sendmail function and doesn't involve
credential authentication, so i don't think it applies.
some clients, like netscrape, can negociate up to higher
security. it's unclear whether that's on send or pop access,
since i have a number of people accessing the server from
arbitrary locations on the planet, and they don't all have
ssh available, i don't think an ssh tunnel is much use here.
i *am* willing (though reluctant) to let people with dumber
clients continue to send cleartext credentials, but i'd like
the smarter clients to be able to use encryption. then i can
urge the users toward those clients.
(btw, which clients (muas) *can* do encryption?)
i'm using red hat 7.2 with stock binary rpms, and a hacked
qpopper (haven't gotten red hat's popd to work correctly yet).
any/all suggestions welcome! i haven't found anything useful
on the net, but i'm probably not asking the right questions.
Ken Coar, Sanagendamgagwedweinini http://Golux.Com/coar/
Author, developer, opinionist http://Apache-Server.Com/
"Millennium hand and shrimp!"
More information about the TriLUG