[plug] POP mail security
christian at global.net.au
Thu Jan 6 11:05:04 WST 2000
Steve Grasso wrote:
> >All my users use fetchmail to get mail from my ISP's POP server.
> >For lack of resources, I cannot put a pop server on my box.
> >What is the best way to protect my users passwords from being sniffed?
> >Can a user use an encrypted tunnel to send the userid and password to
> >the pop server?
> One option (not especially liked by users) would be to use S/Key one-time
> passwords. In the event you're not using SSH, this would somewhat protect
> shell accounts too.
Can you use S/Key with POP? Are there any clients or servers which
support it? (I don't remember hearing of any and I couldn't see any
sign of fetchmail support from glancing at the manual page although I
may have missed something...). Fetchmail does, however, support APOP or
various versions of Kerberized POP so this might be the best place to
start. I think that APOP is supported in some servers although I
haven't used it myself. Using SSH may or may not be an option depending
on the exact circumstances of your setup. Also, there was a discussion
of something similar to this on the OpenBSD-misc mailing list recently
in regards to IMAP which may be of use if you get really stuck.
More information about the plug