Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: Lart <lart () hacksec org>
Date: Mon, 30 Nov 1998 20:25:59 -0500
Nicholas Brawn wrote:
Speaking of pop3 over SSL, is anyone aware of mail clients or pop3 retrievers (Unix and/or Windows) that support it? The reason I'm asking is that i've recently plugged SSL into qpopper (2.53), and want to know whether I need to patch something like fetchmail, or whether there's something out there already that will do the job.
POP3/SSL is supported by Netscape, and M$ Outlook (98|Express). Those are the only ones I know of, I'd be surprised if someone hasn't hacked a way for GNUs or mutt to do this yet using SSLeay... Rather than lock users into one of 3 mail clients, I've deployed solutions that look something like this: Internal External Network -----------------Firewall---------------- Network | | | | | --------------------------- | | | | | | *nix SMTP ssh POP3 gateway IMAP LDAP Users connect to the ssh gateway in the DMZ, and set up port forwards that look like: Local Port Remote Server Remote Port ------------------------------------------- 25 mail-server 25 110 mail-server 110 143 mail-server 143 389 mail-server 389 Users now connect to 127.0.0.1:(25|110|143|389) for mail services. On the mail server, run your popper out of tcpserver (from Dan Bernstein's UCSPI-TCP package), rather than inetd w/tcpd. Set up your cdb rules as (assuming your internal network is 192.168.10.0/24): ip.of.ssh.gateway:accept 192.168.10.:accept :deny Invoke tcpserver as: tcpserver -R -c100 -u0 -g0 -x/etc/tcp.pop3.cdb 0 \ pop3 /usr/sbin/qpopper & Please, make SURE you have up to date imapd sources, that have been patched to prevent the exploits previously published. Rules for FW-1 to do this the way I've set it up would be: 1. Any mail-server smtp Accept 2. Any ssh-gw ssh Accept Of course, you'd need to define 22/tcp as the service "ssh". What else does this type of configuration allow for? It makes it really easy to accomodate remote users using an ISP for mail. Rather than leaving the mail server wide open, or doing POP3 before SMTP hacks, or any other magic, now all of your users' SMTP connections will originate from the ssh gateway machine. --lart
Current thread:
- Re: POP3 Security Issues, (continued)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 04)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Markus Friedl (Dec 03)
- Re: POP3 Security Issues dreamwvr (Dec 01)
- Re: POP3 Security Issues Frederick M Avolio (Dec 01)
- Re: POP3 Security Issues Mookie (Dec 02)
- Re: POP3 Security Issues David Lang (Dec 01)
- Re: POP3 Security Issues Rodney van den Oever (Dec 01)
- Re: POP3 Security Issues Christopher Nielsen (Dec 02)
- Re: POP3 Security Issues Bruce B. Platt (Dec 01)
- Re: POP3 Security Issues Lart (Dec 01)
- Re: POP3 Security Issues Rick Murphy (Dec 01)
- Re: POP3 Security Issues ark (Dec 02)
- Re: POP3 Security Issues Joe LoBianco (Dec 02)