[TriLUG] securing pop3 transactions

Jon Carnes jonc at nc.rr.com
Tue Dec 10 19:42:33 EST 2002


I've setup the POPS (POP via SSL) on Red Hat before.  It's very easy
with the UoW popper (the one that Red Hat defaults to in it's IMAP
rpm).  The instructions for setup can be found on-line at Red Hat or in
the docs that ship with Red Hat.

On Tue, 2002-12-10 at 17:23, Joe Meador wrote:
> I've setup (and use) POP3 with openssl but am by no means an expert...
> 
> I've used the pop server that comes with the pine, pico, etc and also
> Eudora's qpopper to use ssl.  I used the guide here as a starter:
> http://www.defcon1.org/html/Security/Qpop-SSL/qpop-ssl.html but I'm not
> certain I trust it since nessus gave a message that my key was weak or
> something to the effect.  Nessus does tell me that the u washington pop3s
> is more secure than qpopper pop3s.
> 
> Joe Meador
> 
> 
> On Tue, 10 Dec 2002, Rodent of Unusual Size wrote:
> 
> > 'k, the time has come when i have a couple of cylces available
> > to work on this..
> >
> > i have a number of people using one of my systems for pop mail.
> > i would like to configure the pop3 service to use tls (or
> > whatever other mechanism works) to encrypt the exchange and
> > conceal the credentials.
> >
> > the server is set up with the 'popauth' hack, meaning that
> > users need to authenticate (typically by checking for new
> > mail) before being able to send mail through the server.
> > however, that's a sendmail function and doesn't involve
> > credential authentication, so i don't think it applies.
> >
> > some clients, like netscrape, can negociate up to higher
> > security.  it's unclear whether that's on send or pop access,
> > though.
> >
> > since i have a number of people accessing the server from
> > arbitrary locations on the planet, and they don't all have
> > ssh available, i don't think an ssh tunnel is much use here.
> >
> > i *am* willing (though reluctant) to let people with dumber
> > clients continue to send cleartext credentials, but i'd like
> > the smarter clients to be able to use encryption.  then i can
> > urge the users toward those clients.
> >
> > (btw, which clients (muas) *can* do encryption?)
> >
> > i'm using red hat 7.2 with stock binary rpms, and a hacked
> > qpopper (haven't gotten red hat's popd to work correctly yet).
> > any/all suggestions welcome!  i haven't found anything useful
> > on the net, but i'm probably not asking the right questions.
> >
> > thanks!
> > --
> > #ken	P-)}
> >
> > Ken Coar, Sanagendamgagwedweinini  http://Golux.Com/coar/
> > Author, developer, opinionist      http://Apache-Server.Com/
> >
> > "Millennium hand and shrimp!"
> > _______________________________________________
> > TriLUG mailing list
> >     http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ:
> >     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html
> >
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html





More information about the TriLUG mailing list