Firewall Wizards mailing list archives
APOP and qpopper2.4, how safe?
From: Marc Goldburg <marcg () arraycomm com>
Date: Mon, 8 Dec 1997 16:12:49 -0800
We have to provide mail service for users in far-flung corners of the globe. So far, we've been requiring them to dial in to the modems at our central site to retrieve mail via POP over serial lines. This is becoming expensive, however, and we're looking at alternatives. One option would be to have these people get accounts with local ISP's and then use APOP over the internet to retrieve their mail. At our central site, plug-gw from the TIS FWTK would be used on a machine in our DMZ to forward POP requests to a mail server behind the firewall (this seems safer than mirroring mail spools on a DMZ machine). Since we use pop internally, I'd probably have the plug-gw connect to non-standard POP port on the mail server where there'd be running a version of qpopper which only authenticated via APOP and only for our remote users. There's a host of security issues here --- potentially sensistive unencrypted messages flowing across the net, telling people with sensitive information on their machines to get ISP accounts, ... --- all of which we're wrestling with. I'd be interested in any comments that folks have on the fundamental robustness of APOP and qpopper (2.4 or higher). Is it foolish to poke a hole in the firewall using those tools? By the way, the mail server is running SunOS 4.1.3_U1 plus patches. Thanks, Marc Goldburg -- ArrayComm, Inc. Tel: +1.408.952.1810 3141 Zanker Road Fax: +1.408.428.9083 San Jose, CA 95134-1933 E-mail: marcg () arraycomm com
Current thread:
- APOP and qpopper2.4, how safe? Marc Goldburg (Dec 08)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 09)
- Re: APOP and qpopper2.4, how safe? daemond (Dec 11)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 11)
- Re: APOP and qpopper2.4, how safe? daemond (Dec 11)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 09)