thr3ads.net - freebsd security - freebsd-security Digest, Vol 371, Issue 1 [May 2011]

If this information is useful, please help other people find it:
Share via:
Kapil Jain
2011-May-02 13:32 UTC
freebsd-security Digest, Vol 371, Issue 1

Try to change port for pop3 use some weired port, and specify that port in your
gmail account for fetching, it's not full proof but it might work for you


Kapil Jain
Sent from my iPad

On 02-May-2011, at 5:30 PM, freebsd-security-request@freebsd.org wrote:
> Send freebsd-security mailing list submissions to
>    freebsd-security@freebsd.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>    http://lists.freebsd.org/mailman/listinfo/freebsd-security
> or, via email, send a message with subject or body 'help' to
>    freebsd-security-request@freebsd.org
> 
> You can reach the person managing the list at
>    freebsd-security-owner@freebsd.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of freebsd-security digest..."
> 
> 
> Today's Topics:
> 
>   1. limiting pop access to gmail servers ? (George Sanders)
>   2. Re: limiting pop access to gmail servers ? (Patrick Proniewski)
>   3. Re: limiting pop access to gmail servers ? (Gleb Kurtsou)
>   4. Re: limiting pop access to gmail servers ? (cronfy)
>   5. Re: limiting pop access to gmail servers ?
>      (freebsd-lists@albury.net.au)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 1 May 2011 15:55:25 -0700 (PDT)
> From: George Sanders <gosand1982@yahoo.com>
> Subject: limiting pop access to gmail servers ?
> To: freebsd-security@freebsd.org
> Message-ID: <349555.87646.qm@web120019.mail.ne1.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> 
> We run our own (freebsd) mail server.  It's a pretty classic, old
fashioned
> /var/mail/username setup.
> 
> We have enabled POP so that certain people can pop their mail from us, and
use
> gmail as their mail client.
> 
> However, we have no other POP users ... and I don't want POP open to
the whole
> world ...
> 
> BUT, I suspect there are a LOT of possible IPs that google will use to pop
mail
> from us ...
> 
> Is there an authoritative list ?
> 
> Anyone else blocking POP access to everyone BUT google ?
> 
> 
> ------------------------------
> 
> Message: 2
> Date: Mon, 2 May 2011 08:18:30 +0200
> From: Patrick Proniewski <patpro@patpro.net>
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982@yahoo.com>
> Cc: freebsd-security@freebsd.org
> Message-ID: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net>
> Content-Type: text/plain; charset="us-ascii"
> 
> Hello,
> 
> On 02 mai 2011, at 00:55, George Sanders wrote:
> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to
pop mail
>> from us ...
> 
> You are right about that. According to my pop logs, my servers have
encounter about 1000 different IPs from google (920 actually).
> Domain names are always like
mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.com
> By the way, I'm in europe, I'm not sure USA, Australia or Japan
would see the same gmail POP clients.
> 
>> Is there an authoritative list ?
> 
> I don't know.
> 
>> Anyone else blocking POP access to everyone BUT google ?
> 
> I don't.
> 
> patpro
> 
> ------------------------------
> 
> Message: 3
> Date: Mon, 2 May 2011 12:42:04 +0600
> From: Gleb Kurtsou <gleb.kurtsou@gmail.com>
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982@yahoo.com>
> Cc: freebsd-security@freebsd.org
> Message-ID: <BANLkTikgQM=-d41dCCDPpO-xBHOOy+CEbw@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> On Mon, May 2, 2011 at 4:55 AM, George Sanders <gosand1982@yahoo.com>
wrote:
>> 
>> 
>> We run our own (freebsd) mail server.  It's a pretty classic, old
fashioned
>> /var/mail/username setup.
>> 
>> We have enabled POP so that certain people can pop their mail from us,
and use
>> gmail as their mail client.
>> 
>> However, we have no other POP users ... and I don't want POP open
to the whole
>> world ...
>> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to
pop mail
>> from us ...
>> 
>> Is there an authoritative list ?
>> 
>> Anyone else blocking POP access to everyone BUT google ?
> 
> Didn't try it myself, just a wild guess. Hopefully google pop clients
> use real ssl certificates signed by google to authenticate. Mutual ssl
> authentication is hardly ever used, but still.
> 
> Setup pop over ssl and check for google certificates instead.
> 
> Gleb.
> 
> 
> ------------------------------
> 
> Message: 4
> Date: Mon, 2 May 2011 10:41:59 +0400
> From: cronfy <cronfy@gmail.com>
> Subject: Re: limiting pop access to gmail servers ?
> To: freebsd-security@freebsd.org, gosand1982@yahoo.com
> Message-ID: <BANLkTikEoddderju8un4jRouVWDBvPPZ8g@mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
> 
> Hi,
> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to
pop
>> mail
>>> from us ...
>> 
>> You are right about that. According to my pop logs, my servers have
>> encounter about 1000 different IPs from google (920 actually).
>> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.
>> google.com
>> By the way, I'm in europe, I'm not sure USA, Australia or Japan
would see
>> the same gmail POP clients.
>> 
> 
> 
> You can make active checks for incoming connections. If reverse DNS record
> is valid (ip -> resolves to name -> resolves to same ip) and it
matches '.*
> google.com$' regexp, then it is Google.
> 
> 
> -- 
> ???? ????????
> 
> 
> ------------------------------
> 
> Message: 5
> Date: Mon, 2 May 2011 17:23:07 +1000 (EST)
> From: freebsd-lists@albury.net.au
> Subject: Re: limiting pop access to gmail servers ?
> To: George Sanders <gosand1982@yahoo.com>
> Cc: freebsd-security@freebsd.org
> Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au>
> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
> 
> 
> 
>> We have enabled POP so that certain people can pop their mail from us,
and use
>> gmail as their mail client.
>> 
>> However, we have no other POP users ... and I don't want POP open
to the whole
>> world ...
>> 
>> BUT, I suspect there are a LOT of possible IPs that google will use to
pop mail
>> from us ...
> 
> 
> While not a "strong" solution, out-of-the box, I'd suggest in
> /etc/hosts.allow (probably after the "paranoid" line to make
inetd check
> fwd/reverse match)
> 
> ALL : PARANOID : RFC931 20 : deny
> 
> assuming you use qpopper (change as required)
> 
> qpopper : .google.com : allow
> qpopper : x.x.x.0/255.255.255.0 : allow       (your directly-connected
users)
> qpopper : all : deny
> 
> 
> RossW
> 
> 
> ------------------------------
> 
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
"freebsd-security-unsubscribe@freebsd.org"
> 
> End of freebsd-security Digest, Vol 371, Issue 1
> ************************************************
freebsd security - May 2011 - freebsd-security Digest, Vol 371, Issue 1

freebsd-security Digest, Vol 371, Issue 1
