[plug] POP and SSL

[Leon Brooks]

Christian wrote:
> Leon Brooks wrote:
>> Subba Rao wrote:
>>> What is the best way to protect my users passwords from being sniffed?

>> The simplest, least flexible way is to block access to the POP port
>> except from your dialup lines.

> This won't really give much protection, will it?  Attackers can still
> telnet/ssh/ftp in (assuming any of these services are enabled)

You'd be silly to leave Telnet enabled without _some_ protection, FTP
(most, anyway) responds slowly to a bad password and so is of limited
use for brute-forcing (and many FTP clients can be SSH-enabled), and ssh
isn't susceptible to sniffing.

>> There are SSL versions of the POP3 protocol (my /etc/services file
>> mentions spop3 on port 995) but I suspect that Windows clients for same
>> would be limited.

> He said they were all using Fetchmail... (which doesn't support SSL
> either from what I gather).

Doesn't it? Well, it shouldn't be too difficult to add if so. There are
projects like stelnet around to provide working examples of the SSL
interface.

> As I suggested, APOP or a Kerberized POP
> might be the best approach if SSH can't be used.

These are sniffer-proof, are they?

-- 
Confidence is the feeling you have before you understand the situation.
If at first you don't succeed, try a shorter bungee. When in trouble,
when in doubt, run in circles, scream and shout. The two great secrets
of success are: don't tell anyone everything that you know.