POP server configuration Security

POP server configuration Security

Post by Tom Tow » Sat, 18 Jan 1997 04:00:00



Question is,...on an NT 3.51 running Netscapes Mail Server, a network manager
I work with is concerned that security will be compromised if we sign onto
another ISP account and retrieve our mail by configuring our e-mail clients
to query the POP server. He claims that hackers will steal our passwords from
packets logging onto the POP server. He seems to feel that a password
hijacker can sit and intercept theses packets, disassemble them, decrypt the
password, and this will allow them to access our system. I hold that our POP
and SMTP server is separate from all others, and even if this could happen,
the worst that could happen is very little for all of the effort, such as
someone reading someone elses mail.

Someone taught a class on security that this guy attended and it appears that
they have misled him into thinking paranoia. He basically does not want me,
the Webmaster, and the rest of the staff retrieving our mail unless we are
dialed into our own Network, I say there is no problem with accessing
remotely through my Internet provider.

BTW, Our DNS is on a Unix server, as he will not let me set it up on NT. He
knows neither NT nor Unix, but manages the Novell LAN. Our provider
originally set up the DNS on the Unix, and he is afraid to touch it. He is
also afraid the Unix box will be accessed by hackers if they decode the POP
server, although there is no integrated connection other than physical.

Any thoughts? E-mail me if possible.

Tom

 
 
 

POP server configuration Security

Post by Jeremy Brow » Sat, 18 Jan 1997 04:00:00




Quote:> Question is,...on an NT 3.51 running Netscapes Mail Server, a network
manager
> I work with is concerned that security will be compromised if we sign
onto
> another ISP account and retrieve our mail by configuring our e-mail
clients
> to query the POP server. He claims that hackers will steal our passwords
from
> packets logging onto the POP server. He seems to feel that a password
> hijacker can sit and intercept theses packets, disassemble them, decrypt
the
> password, and this will allow them to access our system. I hold that our
POP
> and SMTP server is separate from all others, and even if this could
happen,
> the worst that could happen is very little for all of the effort, such as
> someone reading someone elses mail.

To an extent his worries could become fact.  However if your SMTP/POP
server(s) are separated from the rest of the net then I don't think
he has alot to worry about.  One thing you could investigate which
almost certainly would placate him is to see if your Mail server and
clients supports APOP style login's (see RFC 1939).  APOP does not
send a password at all but rather uses a challange/response mechanism.

Quote:

> Someone taught a class on security that this guy attended and it appears
that
> they have misled him into thinking paranoia. He basically does not want
me,
> the Webmaster, and the rest of the staff retrieving our mail unless we
are
> dialed into our own Network, I say there is no problem with accessing
> remotely through my Internet provider.

They probably told him about ethernet sniffers and running something
like crack and he most likely still believes things are the same.

I have experienced something similar where an ex-boss had attended
a Novell class 5 years before and refused to let us change the way
we did things (They taught me it this way, so you have to do the
same !).

Quote:

> BTW, Our DNS is on a Unix server, as he will not let me set it up on NT.
He
> knows neither NT nor Unix, but manages the Novell LAN. Our provider
> originally set up the DNS on the Unix, and he is afraid to touch it. He
is
> also afraid the Unix box will be accessed by hackers if they decode the
POP
> server, although there is no integrated connection other than physical.

Haa!, as if a Novell server was foolproof.  Unless you have packet
signatures there is nothing stopping you grabbing a trace, editing
it and playing it back at a later time.  Unix and NT are streets
ahead with regard to security compared to Novell (ok 4.x doesn't
count here).

Quote:

> Any thoughts? E-mail me if possible.

> Tom

Jeremy
--
Jeremy Brown, Dr. Materna GmbH, Dortmund, Germany
-------------------------------------------------
Replace $ in my address with . when sending email.
This is to prevent adverts and spamming, sorry.

 
 
 

POP server configuration Security

Post by Thomas H. Ptac » Sat, 18 Jan 1997 04:00:00



Quote:>to query the POP server. He claims that hackers will steal our passwords from
>packets logging onto the POP server. He seems to feel that a password
>hijacker can sit and intercept theses packets, disassemble them, decrypt the
>password, and this will allow them to access our system. I hold that our POP

What would he need to decrypt? If you're just doing standard POP3, you
sticking your name and password in plaintext into TCP packets:

+OK POP3 Server (mypop) at localhost starting
USER fozzie
+OK Password requested for fozzie
PASS wakkawakkawakka

Your coworker is right. If your ISP's system is comprimised, it's
completely trivial for the attacker to monitor the network for TCP packets
destined to port 110. The first couple thousand bytes of these sessions
will almost invariably contain passwords that can be used to access other
services.

If your POP3 password has any meaning to someone on the Internet
attempting to access your network, you shouldn't be sending it in
plaintext across the network. Investigate things like APOP, or end-to-end
encryption with VPN software.

--
----------------

----------------
exit(main(kfp->kargc, argv, environ));

 
 
 

POP server configuration Security

Post by Alex Charti » Sun, 19 Jan 1997 04:00:00


Tom,

One area I would be concerned about is the use of userid/password pairs in
more than one place. With the proliferation of systems that our users are
being asked to log into, and the increasing use of userid/password mechanisms
on web servers, our users are having to remember far too many passwords. They
will in this case either write them down or worse they will start to use the
same pairs for many systems.  

The risk comes when a userid/password from a corporate network is re-used at
an untrusted third party such as an isp pop3 mail server.  Should a clever
interloper capture this information they have knowledge to access your
corporate systems. They obviously need some way to get in but the risk is
there.

I suggest you consider one time passwords for your corporate networks.

: Question is,...on an NT 3.51 running Netscapes Mail Server, a network manager
: I work with is concerned that security will be compromised if we sign onto
: another ISP account and retrieve our mail by configuring our e-mail clients
: to query the POP server. He claims that hackers will steal our passwords from
: packets logging onto the POP server. He seems to feel that a password
: hijacker can sit and intercept theses packets, disassemble them, decrypt the
: password, and this will allow them to access our system. I hold that our POP
: and SMTP server is separate from all others, and even if this could happen,
: the worst that could happen is very little for all of the effort, such as
: someone reading someone elses mail.
:
: Someone taught a class on security that this guy attended and it appears that
: they have misled him into thinking paranoia. He basically does not want me,
: the Webmaster, and the rest of the staff retrieving our mail unless we are
: dialed into our own Network, I say there is no problem with accessing
: remotely through my Internet provider.
:
: BTW, Our DNS is on a Unix server, as he will not let me set it up on NT. He
: knows neither NT nor Unix, but manages the Novell LAN. Our provider
: originally set up the DNS on the Unix, and he is afraid to touch it. He is
: also afraid the Unix box will be accessed by hackers if they decode the POP
: server, although there is no integrated connection other than physical.
:
: Any thoughts? E-mail me if possible.
:
: Tom
:

 
 
 

1. MUA and local POP server configuration

How can I configure my mail client (Pegasus over wine) to retrieve
mail from a local pop server and which POP server best to choose. I
tried to install qmail as a complete mail server and local POP server
but could get the system running.

What I would need is to fetch mail from multiple POP accounts and
retrieve via my MUAs POP protocol.

The fetchmail configuration looks pretty straight forward.
Documenation for MUA configuration such as Pegasus or Netscape can
hardly be found.

Christian

2. kppp-netscape

3. POP server configuration

4. Dont Click Here Unless Interested In Money!!

5. POP to POP mail servers

6. Routing Problem

7. configuring postfix / pop-server for smtp-after-pop

8. authck & 5.0.4

9. simultaneous pop connection slow down aix pop server

10. Pop server for virtual pop accounts

11. can't get e-mails from ISP POP server through Linux proxy server

12. SMTP server to POP server

13. Secure transport between mail server and pop client (via another mail server)