SUMMARY: Secure POP

From: David Stern (dstern@tsi-telsys.com)
Date: Thu Jun 22 2000 - 09:00:13 CDT


Original question:

> Is there some better way to run POP from anywhere on the Internet connecting
> to a POP server? What I'm looking for is some authentication above and
> beyond the POP username/password (nevermind it being in cleartext).
> Tcpwrap is not an option as people are likely to be coming in from
> large networks with unpredictable IP addresses.

Thanks to those who responded, too many to list.
Most said to use ssh to tunnel POP or IMAP. Other ideas included Kerberized
POP (APOP). Here is a selection of some of the responses:

------------------------------------------------------------------------------
>From Bryan Carlson <carlson@cems.umn.edu>

1) You wrap the Pop daemon (and imapd if you want) in SSL (I believe).
2) The client then must have SSL built into it - not every client does - I
believe Outlook, perhaps netscape - not sure about others
------------------------------------------------------------------------------

>From Ian MacPhedran <Ian_MacPhedran@young.usask.ca>

You might want to use "stunnel" - http://www.stunnel.org/ It is a wrapper
program (like tcpwrap).

That will allow encrypted POP sessions from clients like netscape.
------------------------------------------------------------------------------

>From Brian Friday <bfriday@LaSierra.edu>

Qpopper from Qualcomm has a APOP mechanism. Its free but I haven't
implemented it at my site just yet.

www.eudora.com

>From Michael Maciolek <mikem@ne.cohesive.com>
------------------------------------------------------------------------------

How about using ssh port-forwarding? From the client end you do
an 'ssh -L110:localhost:110 popserver', authenticate, then set
your pop client to connect to 'localhost'

The entire pop session runs over the encrypted ssh tunnel, so no
one can snoop the pop password exchange off the wire.

Note: this even works from Microsoft-based platforms using any ssh
client that provides port-forwarding.
------------------------------------------------------------------------------

>From David LaPorte <david_laporte@harvard.edu>

Outlook and Netscape supports POP over SSL. At the server side, you can
wrap the POP service with sslwrap (http://www.rickk.com/sslwrap/) or stunnel
(http://mike.daewoo.com.pl/computer/stunnel/).

Check out http://security.fi.infn.it/tools/stunnel/index-en.html for details
on how to setup secure pop.

Try looking at stunnel.
It will allow you to SSL tunnel your POP connection on port 995.
It works great, but you will also need some other tools such as:
openssl and rsaref

 =-=-=-=-=-=-=-=-=- generated by /dev/dave -=-=-=-=-=-=-=-=-=-=-=-=-=-=
 David Stern TSI TelSys
 Manager, Information Systems 410-872-3906



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:10 CDT