Need some advice on setting up POP3

Server: Solaris x86 v2.5
        sendmail v8.8.5
        qpopper v2.3

I have Qualcomm's qpopper v2.3 software and I have compiled and performed some simple tests with it... But, what I would like to know is if there are any security measures (ie. APOP) which should be followed and also how I can setup a pop only id (ie, using /POPPER/ANY/SHELL as the user shell defined in /etc/passwd) The INSTALL text which came with the qpopper software gave a brief overview of the setups, but I would like to know from any of those individual experienced with having a system on the Internet what they would advise and possibly some steps to acheiving the recommended (secure) setup.

Any advice, comment, or recommendations would be greatly appreciated.

Thank you,

Timothy Lorenc

PS: I would like some further information on utilizing compile options such as:
-DAPOP or -DCHECK_SHELL
lorenctAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

colesCommented:
You are correct.  Pointing user's shells at /bin/noshell will not let a user log in (also point their home directory at /dev/null or something similar).  Just make sure that /bin/noshell is closely watched for changes and has a 1755 permission.

You may need to set up an allowed shells file in /etc/shells as well if you do this, so be forewarned that you will need to create that file and have at least the following (I would think) in that file, if that's what you want:

-- cut

/usr/lib/rsh
/sbin/sh
/usr/bin/sh
/bin/csh

-- paste

Note that /bin/noshell isn't included in the list, so those users can't FTP in.
0
lorenctAuthor Commented:
Edited text of question
0
swintCommented:
With the APOP option you maintain a seperate passwd-type file (/etc/pop.auth) with name and passwds of allowed users, or you could use AUTHFILE and NONAUTHFILE, sort of a allow and deny file situation.  Enabling CHECK_SHELL will not let anyone with a non-standard shell use pop.  Usually standard shells end in sh . The shell you mentioned above /POPPER/ANY/SHELL  can be placed in the /etc/shells to allow any shell access, but this defeats the purpose of using the option.  You can easily test this by telneting to the pop port, this should be explained in the docs.  Also very helpful in securing your pop3 would be tcp_wrappers to specify systems which can connect.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

colesCommented:
APOP is an interesting alternative, but it doesn't work because if you don't have a userid for Sendmail to work with, no mail will be accepted by the machine itself!  APOP is designed to allow people to have a separate password for their POP3 mail, NOT to act as an alternative to having a user registered in /etc/password.  In short, it won't work!

What does work is as I said above, create an /etc/shells, compile without check_shell and leave /bin/noshell out of /etc/shells so that the user can neither telnet nor ftp to the machine.  If you want them to change their password from remote, you can also compile in APOP as swint suggests.

Also, putting tcp wrappers on the pop3 daemon is generally considered more annoying than SPAM.  If people can't check their mail from remote, what good is POP3 in the first place?
0
swintCommented:
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.
0
swintCommented:
True, but how many different IP addresses do you have?  You also have to look at whether this is a home system or at work (as I would assume).  If well implemented this would be of little hassle to administrator or user.  And if it is the company machine, most companies I have worked for would encourage the small trade-off between a slight inconvenience and improved security.  
0
lorenctAuthor Commented:
I guess I was trying to get some further elaboration on the use of APOP (-DAPOP during compile time) which from the qpopper INSTALL file lead me to believe that the password the user entered was not passed in clear text, but encrypted some how??? And what problems this could cause for users accessing the mail server using different GUI's (ie. Micorsoft's Internet Explorer, Netscape Navigator, Qualcomm Eudora, ...)

The user will have a UID/GID assigned in the /etc/passwd file. And I was wondering what to do with their shell assignment. They will not have telnet/ftp access to the server, so I guess /POPPER/ANY/SHELL would be a good assignment. And additional server security is enhance with a drawbridge front-end which allows only certain ports in (ie. 80, 110, 21 (anonymous ftp), ...)

I am trying to make my server as secure as possible so that another individual snooping on the network does not get a user's POP3 password and access to their mail...

Thanks for your comments, I guess it is just time to experiment a little.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Unix OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.