[plug] POP mail security

Christian christian at global.net.au
Thu Jan 6 11:05:04 WST 2000

Steve Grasso wrote:
> >All my users use fetchmail to get mail from my ISP's POP server.
> >For lack of resources, I cannot put a pop server on my box.
> >
> >What is the best way to protect my users passwords from being sniffed?
> >Can a user use an encrypted tunnel to send the userid and password to
> >the pop server?
> One option (not especially liked by users) would be to use S/Key one-time
> passwords. In the event you're not using SSH, this would somewhat protect
> shell accounts too.

Can you use S/Key with POP?  Are there any clients or servers which
support it?  (I don't remember hearing of any and I couldn't see any
sign of fetchmail support from glancing at the manual page although I
may have missed something...).  Fetchmail does, however, support APOP or
various versions of Kerberized POP so this might be the best place to
start.  I think that APOP is supported in some servers although I
haven't used it myself.  Using SSH may or may not be an option depending
on the exact circumstances of your setup.  Also, there was a discussion
of something similar to this on the OpenBSD-misc mailing list recently
in regards to IMAP which may be of use if you get really stuck.



More information about the plug mailing list