Hi Gurus,
Thanks to plamadeleine_at_lightbridge, Stephen Dowdy, sysadmin_at_astron,
Chris Adams, bobv_at_cs, Richard (tru64user), Ken Kleiner, David Warren.
Their suggestions were:
1) Install a secondary password system, fitted only for pop connections.
The passwords may be encrypted (APOP) or non-encrypted (POP). The passwords
for logins are not related (should be different in fact) to those pop
passwords. It looks like Eudora can handle encrypted passwords but I
have no information regarding Outlook Express nor Netscape Messenger
(could anybody say something on this?). I have tested Outlook for non-
autheticated passwords and it works. For more informations on how to
implement this, see man pages of pop3d, in the "Authentication"
section, and of mailauth and mailusradm. See also section 12.4 of CD-ROM
"Compaq Tru64 Unix - Software Documentation".
2) SSH tunneling
" You could use an SSH tunnel on the PC to service your POP/IMAP
connections. I use TeraTermPro+SSH and establisha POP tunnel to my POP
server host. All you have to do is login via TTSSH to the POP server host
and it creates the channel to do the POP encapsulation. (well, you have to
configured it in the SSH configuration menu)
On your PC you indicate that 'localhost' is your POP server. You can also
use it to encapsulate your SMTP securely too, if you add a tunnel for that
as well.
The only difficulty is selling it to your PC users who are used to MS
"security" where passwords are stored on disk, or no security exists
at all "for convenience". Having to type in an extra password or RSA
passphrase can make some of them all crankity. (you only have to type the
password once to get the connection established.
PuTTY (another freeware Win32 SSH app) has tunneling in the development
releases, though i haven't verified it working yet. Commercial Win32 apps
should have tunneling as well (F-secure, VanDyke SecureCRT...) "
3) SSL encrypted POP and IMAP
"You can do SSL encrypted POP and IMAP. If you have OpenSSL and UW IMAP,
they support that (you'll need to generate a certificate). Then you can
turn off "normal" un-encrypted POP and IMAP.
OpenSSL:
http://www.openssl.org/
UW IMAP:
http://www.washington.edu/imap/ "
4) stunnel
"You want to look at the stunnel program. This allows people to run
SSL-enabled mail clients (e.g. Outlook) while connecting to an ordinary
POP or IMAP server. The data is encrypted between the mail client and the
stunnel server, then stunnel forwards it to the mail service."
---------
"Hi....we use pop3 and imap here and only allow ssh connections. You are right,
pop3 and imap send clear text passwords. You need to tunnel those connections
using stunnel, and you'll need openssh for that since you'll need to create
a security certificate that people 'download' when they connect to
your email server via netscape, outlook, etc....
With stunnel, you still run imap/pop3 deamons via inetd.conf at their
regular port numbers, but you use tcp wrappers to disallow access to those
ports from any IP except your server that stunnel runs on. Stunnel runs
as a process and you want to set it up on port 993 for secureimap and 995
for securepop (as ssl enabled email clients use those ports when you
select 'use ssl'). Stunnel just redirects connections to 993/995 to imap/pop
with ssl enabled connections come in using the certificate.
Hope this helps! Searches for stunnel, imap, pop, openssl on www.google.com
will hopefully help...good luck!"
We decided for the implementation of the secondary password system. But to work
with encrypted passwords (APOP - autheticated pop) it would be worthful that, like
Eudora, Outlook and Netscape could also accept them. Any information on this would
be appreciated.
Thanks to all again,
Oyanarte Portilho
Institute of Physics
University of Brasilia, Brazil
Original posting:
----------------
> We have a box running Tru64-Unix 5.0A and C2 security, in which our
> e-mails are transferred to pc's through pop3 service. We are worried
> about passwords being exposed in our subnet since we have detected the
> presence of a sniffer that was installed by a hacker in a Linux machine.
> Is there a simple solution to this? We have ssh installed but people
> prefer to get their e-mails through Eudora, Outlook, etc., instead of
> reading them in the workstation with pine or mail.
Received on Mon Jan 07 2002 - 20:01:54 NZDT