[TriLUG] securing pop3 transactions

Joe Meador linux at alien.biochem.wfubmc.edu
Tue Dec 10 17:23:42 EST 2002 

I've setup (and use) POP3 with openssl but am by no means an expert...

I've used the pop server that comes with the pine, pico, etc and also
Eudora's qpopper to use ssl.  I used the guide here as a starter:
http://www.defcon1.org/html/Security/Qpop-SSL/qpop-ssl.html but I'm not
certain I trust it since nessus gave a message that my key was weak or
something to the effect.  Nessus does tell me that the u washington pop3s
is more secure than qpopper pop3s.

Joe Meador


On Tue, 10 Dec 2002, Rodent of Unusual Size wrote:

> 'k, the time has come when i have a couple of cylces available
> to work on this..
>
> i have a number of people using one of my systems for pop mail.
> i would like to configure the pop3 service to use tls (or
> whatever other mechanism works) to encrypt the exchange and
> conceal the credentials.
>
> the server is set up with the 'popauth' hack, meaning that
> users need to authenticate (typically by checking for new
> mail) before being able to send mail through the server.
> however, that's a sendmail function and doesn't involve
> credential authentication, so i don't think it applies.
>
> some clients, like netscrape, can negociate up to higher
> security.  it's unclear whether that's on send or pop access,
> though.
>
> since i have a number of people accessing the server from
> arbitrary locations on the planet, and they don't all have
> ssh available, i don't think an ssh tunnel is much use here.
>
> i *am* willing (though reluctant) to let people with dumber
> clients continue to send cleartext credentials, but i'd like
> the smarter clients to be able to use encryption.  then i can
> urge the users toward those clients.
>
> (btw, which clients (muas) *can* do encryption?)
>
> i'm using red hat 7.2 with stock binary rpms, and a hacked
> qpopper (haven't gotten red hat's popd to work correctly yet).
> any/all suggestions welcome!  i haven't found anything useful
> on the net, but i'm probably not asking the right questions.
>
> thanks!
> --
> #ken	P-)}
>
> Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
> Author, developer, opinionist      http://Apache-Server.Com/
>
> "Millennium hand and shrimp!"
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
>

More information about the TriLUG mailing list