We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Need some advice on setting up POP3

lorenct
lorenct asked
on
Medium Priority
306 Views
Last Modified: 2013-12-16
Server: Solaris x86 v2.5
        sendmail v8.8.5
        qpopper v2.3

I have Qualcomm's qpopper v2.3 software and I have compiled and performed some simple tests with it... But, what I would like to know is if there are any security measures (ie. APOP) which should be followed and also how I can setup a pop only id (ie, using /POPPER/ANY/SHELL as the user shell defined in /etc/passwd) The INSTALL text which came with the qpopper software gave a brief overview of the setups, but I would like to know from any of those individual experienced with having a system on the Internet what they would advise and possibly some steps to acheiving the recommended (secure) setup.

Any advice, comment, or recommendations would be greatly appreciated.

Thank you,

Timothy Lorenc

PS: I would like some further information on utilizing compile options such as:
-DAPOP or -DCHECK_SHELL
Comment
Watch Question

Commented:
You are correct.  Pointing user's shells at /bin/noshell will not let a user log in (also point their home directory at /dev/null or something similar).  Just make sure that /bin/noshell is closely watched for changes and has a 1755 permission.

You may need to set up an allowed shells file in /etc/shells as well if you do this, so be forewarned that you will need to create that file and have at least the following (I would think) in that file, if that's what you want:

-- cut

/usr/lib/rsh
/sbin/sh
/usr/bin/sh
/bin/csh

-- paste

Note that /bin/noshell isn't included in the list, so those users can't FTP in.

Author

Commented:
Edited text of question
Commented:
With the APOP option you maintain a seperate passwd-type file (/etc/pop.auth) with name and passwds of allowed users, or you could use AUTHFILE and NONAUTHFILE, sort of a allow and deny file situation.  Enabling CHECK_SHELL will not let anyone with a non-standard shell use pop.  Usually standard shells end in sh . The shell you mentioned above /POPPER/ANY/SHELL  can be placed in the /etc/shells to allow any shell access, but this defeats the purpose of using the option.  You can easily test this by telneting to the pop port, this should be explained in the docs.  Also very helpful in securing your pop3 would be tcp_wrappers to specify systems which can connect.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Commented:
APOP is an interesting alternative, but it doesn't work because if you don't have a userid for Sendmail to work with, no mail will be accepted by the machine itself!  APOP is designed to allow people to have a separate password for their POP3 mail, NOT to act as an alternative to having a user registered in /etc/password.  In short, it won't work!

What does work is as I said above, create an /etc/shells, compile without check_shell and leave /bin/noshell out of /etc/shells so that the user can neither telnet nor ftp to the machine.  If you want them to change their password from remote, you can also compile in APOP as swint suggests.

Also, putting tcp wrappers on the pop3 daemon is generally considered more annoying than SPAM.  If people can't check their mail from remote, what good is POP3 in the first place?

Commented:
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.

Commented:
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.  

Author

Commented:
I guess I was trying to get some further elaboration on the use of APOP (-DAPOP during compile time) which from the qpopper INSTALL file lead me to believe that the password the user entered was not passed in clear text, but encrypted some how??? And what problems this could cause for users accessing the mail server using different GUI's (ie. Micorsoft's Internet Explorer, Netscape Navigator, Qualcomm Eudora, ...)

The user will have a UID/GID assigned in the /etc/passwd file. And I was wondering what to do with their shell assignment. They will not have telnet/ftp access to the server, so I guess /POPPER/ANY/SHELL would be a good assignment. And additional server security is enhance with a drawbridge front-end which allows only certain ports in (ie. 80, 110, 21 (anonymous ftp), ...)

I am trying to make my server as secure as possible so that another individual snooping on the network does not get a user's POP3 password and access to their mail...

Thanks for your comments, I guess it is just time to experiment a little.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.