Secure POP: Alternative to SSH tunnel?

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Thu, 26 Apr 2001 04:27:00



Hi,

We'd like to set up a secure access to our POP server so that road
warriors can d'load their e-mail. SSH tunneling works, but is a bit of
a pain to use by non-techies. Are there any Linux-based open-source
solutions that support secure POP access like APOP et al. ?

Thx
FF.

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Sebastian Jaenic » Thu, 26 Apr 2001 05:14:57


Hi,


Quote:

> We'd like to set up a secure access to our POP server so that road
> warriors can d'load their e-mail. SSH tunneling works, but is a bit of
> a pain to use by non-techies. Are there any Linux-based open-source
> solutions that support secure POP access like APOP et al. ?

What you need is stunnel (http://www.stunnel.org). See

http://www.catastrophe.net/geek/docs/spop3/Spop3-Setup.txt

for further information about installation and configuration.

Regards,

Sebastian

--
Sebastian Jaenicke


 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Jem Berke » Thu, 26 Apr 2001 05:45:28


Quote:> We'd like to set up a secure access to our POP server so that road
> warriors can d'load their e-mail. SSH tunneling works, but is a bit of
> a pain to use by non-techies. Are there any Linux-based open-source
> solutions that support secure POP access like APOP et al. ?

APOP is a nice option supported by many pop3 servers. E-mails coming
down the line aren't encrypted, but the log in is secure and this is
probably all that really matters (considering automated sniffing).

--
http://www.pc-tools.net/
DOS, Win32, Linux software

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Ashok Aiy » Thu, 26 Apr 2001 06:02:46


On Tue, 24 Apr 2001 19:27:00 GMT,

Quote:> Hi,

> We'd like to set up a secure access to our POP server so that road
> warriors can d'load their e-mail. SSH tunneling works, but is a bit of
> a pain to use by non-techies. Are there any Linux-based open-source
> solutions that support secure POP access like APOP et al. ?

APOP encrypts the password; the message is still sent in clear-text.
To encrypt the message, you need to use pop3/ssl (pop3s).  I tried
wrapping qpopper with stunnel, and while this works for Outlook, I
could not get it to work with Eudora 5.1 on my Mac.

However installing qpopper-4.0 (available for free from Qualcomm) solved
the problem.  I had to install OpenSSL to compile a pop3 server that
supported pop3s.

Ashok

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by <elle.. » Thu, 26 Apr 2001 06:45:09



> We'd like to set up a secure access to our POP server so that road
> warriors can d'load their e-mail. SSH tunneling works, but is a bit of
> a pain to use by non-techies. Are there any Linux-based open-source
> solutions that support secure POP access like APOP et al. ?

Fetchmail will retrieve mail using APOP, RPOP, KPOP, IMAP-K4,
IMAP-GSS, and IMAP-CRAMMD5 in addition to the non-encrypted pop and
imap flavors. In fact, it's probably easier to base your solution on
the other mobile platforms you have to support, then distribute a
sample .fetchmailrc to the linux users.

--

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by craw.. » Thu, 26 Apr 2001 10:33:29



> However installing qpopper-4.0 (available for free from Qualcomm) solved
> the problem.  I had to install OpenSSL to compile a pop3 server that
> supported pop3s.

> Ashok

Hey, Thanks! I didn't know that qpopper-4.0 was now free. The last time
I looked a few months ago, it cost about $300(USD).

Going to download it tomorrow.

Clyde

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by craw.. » Fri, 27 Apr 2001 12:57:12




> > However installing qpopper-4.0 (available for free from Qualcomm) solved
> > the problem.  I had to install OpenSSL to compile a pop3 server that
> > supported pop3s.

> > Ashok

> Hey, Thanks! I didn't know that qpopper-4.0 was now free. The last time
> I looked a few months ago, it cost about $300(USD).

> Going to download it tomorrow.

> Clyde

Went to download, but first RTFWP (Web Page). From the Eudora site.
---------------------
Qpopper on Linux

Linux users should not use versions of Qpopper older than 3.0.
---------------------
Bummer.:-( But why the restriction?

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Ashok Aiy » Fri, 27 Apr 2001 13:35:44


On Wed, 25 Apr 2001 23:57:12 -0400,

Quote:

> Went to download, but first RTFWP (Web Page). From the Eudora site.
> ---------------------
> Qpopper on Linux

> Linux users should not use versions of Qpopper older than 3.0.
> ---------------------
> Bummer.:-( But why the restriction?

Qpopper versions OLDER than 3.0 were vulnerable to buffer overruns.
(that is versions 2.53 and older).  Qpopper 4.0 is newer than 3.0,
and works quite well under Linux.

Ashok
--
Ashok Aiyar, Ph.D.

Department of Microbiology-Immunology           office: (312) 503-2524
303 E. Chicago Avenue, WARD 4-123                  lab: (312) 503-2542
Northwestern University, Chicago, IL 60611         fax: (312) 503-1339

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Greg Owe » Sun, 29 Apr 2001 05:06:47



> We'd like to set up a secure access to our POP server so that road
> warriors can d'load their e-mail. SSH tunneling works, but is a bit of
> a pain to use by non-techies. Are there any Linux-based open-source
> solutions that support secure POP access like APOP et al. ?

        Look into Courier (http://courier.sourceforge.net).  It
supports IMAP over SSL and SMTP over SSL, and may do POP over SSL.

--

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Thu, 03 May 2001 03:24:36



>    Look into Courier (http://courier.sourceforge.net).  It
>supports IMAP over SSL and SMTP over SSL, and may do POP over SSL.

Thx much for the tip. I'm looking first at how to secure the login
step through qpopper + APOP, but I might move on to a totally secure
connection through SSL. For the latter, looks like the alternatives
are SSH, sTunnel, and IMAP-Courier.

Speaking of which...
1. I cannot find any mention of APOP in Outlook (97 or 2K): Is "Logon
using Secure Password/Authentication" Microsoft-speak for APOP?
2. Is it possible to have qpopper use /etc/shadow for APOP instead of
having to keep yet another user DB (/etc/pop.auth)? If yes, I guess it
only takes --enable-specialauth?
3. Does sTunnel + OpenSSL tunneling offers more than SSH + OpenSSL
when it comes to building a secure tunnel for insecure applications
like SMTP/POP?

Thx
FF.

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Thu, 03 May 2001 03:18:14



>    Look into Courier (http://courier.sourceforge.net).  It
>supports IMAP over SSL and SMTP over SSL, and may do POP over SSL.

Thx much for the tip. I'm looking first at how to secure the login
step through qpopper + APOP, but I might move on to a totally secure
connection through SSL. For the latter, looks like the alternatives
are SSH, sTunnel, and IMAP-Courier.

Speaking of which...
1. I cannot find any mention of APOP in Outlook (97 or 2K): Is "Logon
using Secure Password/Authentication" Microsoft-speak for APOP?
2. Is it possible to have qpopper use /etc/shadow for APOP instead of
having to keep yet another user DB (/etc/pop.auth)? If yes, I guess it
only takes --enable-specialauth?
3. Does sTunnel + OpenSSL tunneling offers more than SSH + OpenSSL
when it comes to building a secure tunnel for insecure applications
like SMTP/POP?

Thx
FF.

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Thu, 03 May 2001 03:25:12



>    Look into Courier (http://courier.sourceforge.net).  It
>supports IMAP over SSL and SMTP over SSL, and may do POP over SSL.

Thx much for the tip. I'm looking first at how to secure the login
step through qpopper + APOP, but I might move on to a totally secure
connection through SSL. For the latter, looks like the alternatives
are SSH, sTunnel, and IMAP-Courier.

Speaking of which...
1. I cannot find any mention of APOP in Outlook (97 or 2K): Is "Logon
using Secure Password/Authentication" Microsoft-speak for APOP?
2. Is it possible to have qpopper use /etc/shadow for APOP instead of
having to keep yet another user DB (/etc/pop.auth)? If yes, I guess it
only takes --enable-specialauth?
3. Does sTunnel + OpenSSL tunneling offers more than SSH + OpenSSL
when it comes to building a secure tunnel for insecure applications
like SMTP/POP?

Thx
FF.

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Thu, 03 May 2001 03:30:44



(snip)
Sorry about the triplets. My news server would not ACK my message, so
I thought it was stuck before my msg got there.

FF.

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Jem Berke » Thu, 03 May 2001 07:18:46


Quote:> 2. Is it possible to have qpopper use /etc/shadow for APOP instead of
> having to keep yet another user DB (/etc/pop.auth)? If yes, I guess it
> only takes --enable-specialauth?

No, it needs to store plaintext passwords. This is necessary for the way
in which APOP authentication works... it also keeps user's mail
passwords different from their system passwords, which might be a good
thing for security.

--
http://www.pc-tools.net/
DOS, Win32, Linux software

 
 
 

Secure POP: Alternative to SSH tunnel?

Post by Frederic Fau » Fri, 04 May 2001 00:59:51


On Tue, 01 May 2001 17:18:46 -0500, Jem Berkes


>> 2. Is it possible to have qpopper use /etc/shadow for APOP instead of
>> having to keep yet another user DB (/etc/pop.auth)? If yes, I guess it
>> only takes --enable-specialauth?

>No, it needs to store plaintext passwords. This is necessary for the way
>in which APOP authentication works... it also keeps user's mail
>passwords different from their system passwords, which might be a good
>thing for security.

Thx! Things look at lot clearer now. It seems like Eudora and OE are
pretty much the only windows mail clients that support APOP, so I
guess I'll got for SSL instead.

Thx everyone for the help
FF.

 
 
 

1. Secure NFS via SSH Tunneling now available

Secure NFS (SNFS) via SSH tunneling of UDP datagrams, as suggested in the
SSH FAQ, has now been implemented and is available for download from
http://www.math.ualberta.ca/imaging/snfs/. This is an enhancement of the
original sec_rpc package developed by Holger Trapp.

* Tunneling via SSH increases the security of the connection and prevents
IP spoofing.

* SNFS has been tested on Linux i386 and alpha platforms under RedHat 6.2.

* No changes to the kernel or existing daemons are required.

* On a high-end workstation, tunneling of large files results in only a slight
degradation in speed (eg. 4MB/s instead of 5MB/s).

* Detailed configuration instructions are contained in the file NFS/README.NFS.

-- John Bowman
University of Alberta
http://www.math.ualberta.ca/~bowman

2. 2.4.1 loopback bug

3. secure ftp ? ssh-tunnel the controlchannel ?

4. Problems with s3 Savage4 S450 and RedHat 7.0 SVGA 3.3.6-33

5. Secure Tunnel Bridging (was: Re: Encrypted tunnels through the internet???)

6. cron, GMT and TZ

7. ssh tunnel to non-standard ssh port

8. Reading is much more interesting than TV (0291/1704)

9. F-Secure SSH Client (Win) cannot connect to Solaris 9 SSH

10. Extranet = Firewall + Secure tunnel

11. Secure Encrypted Tunnel Through Firewall For HTTP

12. Secure Tunneling

13. anonymizer.com and secure tunneling?