Hi,
There have been several people to reply to this question. One "digest"
answer on the list. (I've deleted all properly indented comments
except in the first most complete message. I've also deleted one
"mime-encoded HTML" version of one replicant. That's normally a
"sorry, won't be accepted like that" offence. I'm in a good
mood
today.)
-- Roger Wolff.
-----------------------------------------------------------------
From: "Michael H. Warfield" <mhw@wittsend.com>
Subject: [linux-security] Re: POP secure access??
C.M. Wong enscribed thusly:
> Hi, I'm looking for a solution to access pop mails (sendmail in linux)
> securely. Most of the access would be from window clients (outlook express
> etc). Is there a way to encrypt the password (like ssh2) when
authenticating
> with sendmail? Any info is greatly appereceiated. Thx.
Pop does not involve sendmail. Pop is a different protocol
used for retrieving E-Mail from a postoffice. Sendmail is used to receive
E-Mail (SMTP) into the server and postoffice.
If you want to encrypt pop or imap access, then I would suggest
using SSL encrypted pop (pop3s) or SSL encrypted imaps (imaps). You can
do this with your standard pop and imap servicers using an encrypting
wrapper such as sslproxy, edssl, or stunnel. These can be found by
following the links up at the OpenSSL site, <http://www.openssl.org>.
You're going to need OpenSSL to make it work as well (their the crypto
libraries).
Outlook Express, Netscape, and numerous other Windows clients
already have built-in support for SSL encrypted pop and/or SSL encrypted
imap. You just have to check the preferences box for "encrypt
connections".
Examples of what I did to configure pop3s and imaps:
Add this to /etc/services:
imaps 993/tcp
pop3s 995/tcp
Set up this in /etc/inetd.conf:
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
imap stream tcp nowait root /usr/sbin/tcpd imapd
imaps stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p imap
pop3s stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p pop-3
Obviously, I'm using sslproxy. I've used edssl, and tried stunnel
but never got stunnel to work for me. Sslproxy is easy but doesn't support
some features like client side certificates like edssl does.
If you want to retrieve mail to a Linux client workstation using
SSL encrypted pop or imap, I highly recommend fetchmail-ssl. It's available
from the North American Cryptographic Archives
<http://www.cryptography.org>
in the SSL subdirectory. I wrote the SSL patches for fetchmail and released
it (with Eric Raymonds consent) through the archives. Since Eric and I both
live in the "Land of the Freeh" (sic) we can't, ourselves, release
it in
a more general form or distribution.
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
---------------------------------------------------------------------------
From: Frank Derichsweiler <deri@Informatik.UniBw-Muenchen.DE>
Try to use channel forwarding within ssh. Details are within the shh
docs. Unfortunately there is only a free ssh1 client for wind*** ...
HTH
Frank
---------------------------------------------------------------------------
From: Jan van Rensburg <jan.van.rensburg@epiuse.com>
outlook express supports ssl encrypted pop (if i remember correctly).
so, you can use openssl to ssl-ify the pop server, or use a proxy like
the one at:
http://www.multimania.com/jonama/
ciao,
--
--jan van rensburg
Oh what a tangled web we weave when
we could've used perl but we used C.
---------------------------------------------------------------------------
From: ctor <ctor@krixor.xy.org>
Using a POP-server with APOP support support sounds good.. APOP uses
timestamps and md5.. Don't have any pointers, but qpopper is one of those
deamons with APOP-support, IIRC.. I'm sure there are patches for most
daemons to support APOP..
Unfortunately, I don't think the clients here all have support :( .. The
only one I'm sure has support is Eudora.
~~~<*>~~~
Web: http://elemental.webservices.se/ ICQ: 3534707
PGP: `finger ctor@sangis.kalix.net` IRCnet: ctor
~~~<*>~~~
---------------------------------------------------------------------------
From: Andrew Otwell <andrew@networkcomputerz.com>
IMAP over SSL.
--
################################################
# Andrew T. Otwell, Network Admin - Perl Prog
# andrew@networkcomputerz.com
# fon 770.489.8238 || pgr 770.746.3370
# http://www.NetworkComputerz.com
################################################
---------------------------------------------------------------------------
From: Mark Lamourine <mlamouri@bbnplanet.com>
On Mon, 20 Sep 1999, C.M. Wong wrote:
> Hi, I'm looking for a solution to access pop mails (sendmail in linux)
> securely. Most of the access would be from window clients (outlook express
> etc). Is there a way to encrypt the password (like ssh2) when
authenticating
> with sendmail? Any info is greatly appereceiated. Thx.
I think some clarification is in order.
sendmail is an SMTP agent. You send mail using sendmail (Funny how that
works). SMTP is a mail transfer protocol. It moves mail from a
startpoint (the sender) to an end point (the recipient's mailbox)
Sending mail doesn't require a password (though maybe it should)
POP3 is remote a mail reading protocol. There is a separate daemon on a
separate TCP port (110 for POP3, 25 for SMTP)
Using POP3, the user identifies herself to the POP server with a username
and password. Under most default circumstances, the username and password
are send in cleartext.
There are 2 POP3 protocol extensions that allow authentication without
sending a password in cleartext. KPOP requires that the POP server user
the kerberos authentication. APOP uses a shared secret (the password) and
cryptographic hashing to prove the user's identity while avoiding
transmitting the secret itself over the wire.
Both the username and the retrieved email are still transmitted in the
clear, but since SMTP has trasmitted it from the sender to the user's
mailbox in clear already, that should not be a problem.
Your question implies that you want something like APOP.
I can't speak directly to the RH in.popd(1), but Qualcomm popper has APOP
capability. It's enabled using the popauth(1) command. The pop server
maintains a file of password hashes. To enable APOP, the user has to run
popauth on the pop server somehow to initialize the secret. The user then
has to tell the mail reading program to use APOP (Eudora can do this, I'm
not sure about others).
When the user authenticates, the client uses the pop server greeting
(which has a time stamp in it) and the user's hashed password to create a
new hash which is sent to the POP server. The pop server knows the
timestamp it sent, the user's secret and the algorithm the POP client used
to generate the transmitted hash. It runs the hash itself and compares
the results to the hash it received from the user. If they match, access
is granted.
Check out the POP3 RFC:
http://www.freenic.net/rfcs/rfc1900/rfc1939.txt
and the Qualcomm qpopper page
http://www.eudora.com/free/qpop.html
and the RedHat manpage for in.popd
- Mark
Mark Lamourine <mlamouri@gtei.net>
GTE Internetworking, Network Operations, Server Administration
3 Van DeGraff Drive, PO Box 3073, Burlington, MA 01803
Voice: +1 781 262 4306 Fax: +1 781 262 5508
---------------------------------------------------------------------------
From: Przemek Klosowski <przemek@rrdjazz.nist.gov>
I assume that you are interested in retrieving mail (pop and imap)
rather than in sending mail (sendmail)---sendmail doesn't do per-user
authentication so no passwords are involved (unless you were concerned
about people sending passwords in the contents of their
messages). Having said that, there is SMTP over SSL (see below); I am
not sure which sendmail servers/clients use it.
There also exist SSL-encrypted POP and IMAP specs. Here's a list of services
that use SSL:
ssmtp 465/tcp # SMTP over SSL
snews 563/tcp # NNTP over SSL
ssl-ldap 636/tcp # LDAP over SSL
simap 993/tcp # IMAP over SSL
spop3 995/tcp # POP-3 over SSL
Netscape at least from version 4.51 up allows SSL-based IMAP
connections. I don't know about other mail clients.
przemek klosowski, Ph.D. <przemek@nist.gov> (301) 975-6249
NIST Center for Neutron Research (bldg. 235), E111
National Institute of Standards and Technology
Gaithersburg, MD 20899, USA
.. and for spam extractors, FCC Commisioners' email is:
wkennard@fcc.gov,sness@fcc.gov,pmisener@fcc.gov,mpowell@fcc.gov
---------------------------------------------------------------------------
From: "Brian E. Bothwell" <brian@wisdomtools.com>
Check out Stunnel, an SSL tunnel that can be used to encrypt POP,
IMAP, HTTP, and other TCP-based services. I use it to SSL-encrypt IMAP4
services for over 20 users and have had very few problems.
<http://mike.daewoo.com.pl/computer/stunnel/)
-Brian
--------------
Brian Bothwell brian@wisdomtools.com
System & Network Administrator http://www.wisdomtools.com
WisdomTools, Inc. 812-856-4200 #7
--------------
---------------------------------------------------------------------------
From: "Nick Gotsinas" <nick@minacom.com>
http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
I heven't tried it yet but it looks like it works.
--
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------