Solved

Need some advice on setting up POP3

Posted on 1997-06-02
7
277 Views
Last Modified: 2013-12-16
Server: Solaris x86 v2.5
        sendmail v8.8.5
        qpopper v2.3

I have Qualcomm's qpopper v2.3 software and I have compiled and performed some simple tests with it... But, what I would like to know is if there are any security measures (ie. APOP) which should be followed and also how I can setup a pop only id (ie, using /POPPER/ANY/SHELL as the user shell defined in /etc/passwd) The INSTALL text which came with the qpopper software gave a brief overview of the setups, but I would like to know from any of those individual experienced with having a system on the Internet what they would advise and possibly some steps to acheiving the recommended (secure) setup.

Any advice, comment, or recommendations would be greatly appreciated.

Thank you,

Timothy Lorenc

PS: I would like some further information on utilizing compile options such as:
-DAPOP or -DCHECK_SHELL
0
Comment
Question by:lorenct
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 1

Expert Comment

by:coles
ID: 1812332
You are correct.  Pointing user's shells at /bin/noshell will not let a user log in (also point their home directory at /dev/null or something similar).  Just make sure that /bin/noshell is closely watched for changes and has a 1755 permission.

You may need to set up an allowed shells file in /etc/shells as well if you do this, so be forewarned that you will need to create that file and have at least the following (I would think) in that file, if that's what you want:

-- cut

/usr/lib/rsh
/sbin/sh
/usr/bin/sh
/bin/csh

-- paste

Note that /bin/noshell isn't included in the list, so those users can't FTP in.
0
 

Author Comment

by:lorenct
ID: 1812333
Edited text of question
0
 

Accepted Solution

by:
swint earned 180 total points
ID: 1812334
With the APOP option you maintain a seperate passwd-type file (/etc/pop.auth) with name and passwds of allowed users, or you could use AUTHFILE and NONAUTHFILE, sort of a allow and deny file situation.  Enabling CHECK_SHELL will not let anyone with a non-standard shell use pop.  Usually standard shells end in sh . The shell you mentioned above /POPPER/ANY/SHELL  can be placed in the /etc/shells to allow any shell access, but this defeats the purpose of using the option.  You can easily test this by telneting to the pop port, this should be explained in the docs.  Also very helpful in securing your pop3 would be tcp_wrappers to specify systems which can connect.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Expert Comment

by:coles
ID: 1812335
APOP is an interesting alternative, but it doesn't work because if you don't have a userid for Sendmail to work with, no mail will be accepted by the machine itself!  APOP is designed to allow people to have a separate password for their POP3 mail, NOT to act as an alternative to having a user registered in /etc/password.  In short, it won't work!

What does work is as I said above, create an /etc/shells, compile without check_shell and leave /bin/noshell out of /etc/shells so that the user can neither telnet nor ftp to the machine.  If you want them to change their password from remote, you can also compile in APOP as swint suggests.

Also, putting tcp wrappers on the pop3 daemon is generally considered more annoying than SPAM.  If people can't check their mail from remote, what good is POP3 in the first place?
0
 

Expert Comment

by:swint
ID: 1812336
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.
0
 

Expert Comment

by:swint
ID: 1812337
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.  
0
 

Author Comment

by:lorenct
ID: 1812338
I guess I was trying to get some further elaboration on the use of APOP (-DAPOP during compile time) which from the qpopper INSTALL file lead me to believe that the password the user entered was not passed in clear text, but encrypted some how??? And what problems this could cause for users accessing the mail server using different GUI's (ie. Micorsoft's Internet Explorer, Netscape Navigator, Qualcomm Eudora, ...)

The user will have a UID/GID assigned in the /etc/passwd file. And I was wondering what to do with their shell assignment. They will not have telnet/ftp access to the server, so I guess /POPPER/ANY/SHELL would be a good assignment. And additional server security is enhance with a drawbridge front-end which allows only certain ports in (ie. 80, 110, 21 (anonymous ftp), ...)

I am trying to make my server as secure as possible so that another individual snooping on the network does not get a user's POP3 password and access to their mail...

Thanks for your comments, I guess it is just time to experiment a little.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question