Solved

Need some advice on setting up POP3

Posted on 1997-06-02
7
267 Views
Last Modified: 2013-12-16
Server: Solaris x86 v2.5
        sendmail v8.8.5
        qpopper v2.3

I have Qualcomm's qpopper v2.3 software and I have compiled and performed some simple tests with it... But, what I would like to know is if there are any security measures (ie. APOP) which should be followed and also how I can setup a pop only id (ie, using /POPPER/ANY/SHELL as the user shell defined in /etc/passwd) The INSTALL text which came with the qpopper software gave a brief overview of the setups, but I would like to know from any of those individual experienced with having a system on the Internet what they would advise and possibly some steps to acheiving the recommended (secure) setup.

Any advice, comment, or recommendations would be greatly appreciated.

Thank you,

Timothy Lorenc

PS: I would like some further information on utilizing compile options such as:
-DAPOP or -DCHECK_SHELL
0
Comment
Question by:lorenct
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:coles
Comment Utility
You are correct.  Pointing user's shells at /bin/noshell will not let a user log in (also point their home directory at /dev/null or something similar).  Just make sure that /bin/noshell is closely watched for changes and has a 1755 permission.

You may need to set up an allowed shells file in /etc/shells as well if you do this, so be forewarned that you will need to create that file and have at least the following (I would think) in that file, if that's what you want:

-- cut

/usr/lib/rsh
/sbin/sh
/usr/bin/sh
/bin/csh

-- paste

Note that /bin/noshell isn't included in the list, so those users can't FTP in.
0
 

Author Comment

by:lorenct
Comment Utility
Edited text of question
0
 

Accepted Solution

by:
swint earned 180 total points
Comment Utility
With the APOP option you maintain a seperate passwd-type file (/etc/pop.auth) with name and passwds of allowed users, or you could use AUTHFILE and NONAUTHFILE, sort of a allow and deny file situation.  Enabling CHECK_SHELL will not let anyone with a non-standard shell use pop.  Usually standard shells end in sh . The shell you mentioned above /POPPER/ANY/SHELL  can be placed in the /etc/shells to allow any shell access, but this defeats the purpose of using the option.  You can easily test this by telneting to the pop port, this should be explained in the docs.  Also very helpful in securing your pop3 would be tcp_wrappers to specify systems which can connect.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Expert Comment

by:coles
Comment Utility
APOP is an interesting alternative, but it doesn't work because if you don't have a userid for Sendmail to work with, no mail will be accepted by the machine itself!  APOP is designed to allow people to have a separate password for their POP3 mail, NOT to act as an alternative to having a user registered in /etc/password.  In short, it won't work!

What does work is as I said above, create an /etc/shells, compile without check_shell and leave /bin/noshell out of /etc/shells so that the user can neither telnet nor ftp to the machine.  If you want them to change their password from remote, you can also compile in APOP as swint suggests.

Also, putting tcp wrappers on the pop3 daemon is generally considered more annoying than SPAM.  If people can't check their mail from remote, what good is POP3 in the first place?
0
 

Expert Comment

by:swint
Comment Utility
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.
0
 

Expert Comment

by:swint
Comment Utility
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.  
0
 

Author Comment

by:lorenct
Comment Utility
I guess I was trying to get some further elaboration on the use of APOP (-DAPOP during compile time) which from the qpopper INSTALL file lead me to believe that the password the user entered was not passed in clear text, but encrypted some how??? And what problems this could cause for users accessing the mail server using different GUI's (ie. Micorsoft's Internet Explorer, Netscape Navigator, Qualcomm Eudora, ...)

The user will have a UID/GID assigned in the /etc/passwd file. And I was wondering what to do with their shell assignment. They will not have telnet/ftp access to the server, so I guess /POPPER/ANY/SHELL would be a good assignment. And additional server security is enhance with a drawbridge front-end which allows only certain ports in (ie. 80, 110, 21 (anonymous ftp), ...)

I am trying to make my server as secure as possible so that another individual snooping on the network does not get a user's POP3 password and access to their mail...

Thanks for your comments, I guess it is just time to experiment a little.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now