Re: POP3 Security Issues

[David Lang <dlang () diginsite com>]

-----BEGIN PGP SIGNED MESSAGE-----

use IMAP (idealy IMAP through SSL for the remote users which outlook and
netscape both support). This leaves the mail on the server whereever you
read it from (yes, that does eat up disk space on the server, but that is
easy to monitor and fix). and also reduces your network traffic.

David Lang

On Sun, 29 Nov 1998, Jan B. Koum  wrote:

> Date: Sun, 29 Nov 1998 22:57:37 -0800
> From: Jan B. Koum  <jkb () best com>
> To: Frederick M Avolio <fred () avolio com>, mreiter () gwillness osd mil,
     firewall-wizards () nfr net
> Subject: Re: POP3 Security Issues
>
> On Fri, Nov 27, 1998 at 01:10:42PM -0500, Frederick M Avolio <fred () avolio com> wrote:
> > At 08:55 AM 11/16/98 -0500, mreiter () gwillness osd mil wrote:
> > > My users want to use POP3 over the internet to access their e-mail through
> > > our firewall.  There is a POP3 proxy built in to the firewall (not
> > > currently on), but I am leery of ANY access through the firewall over the
> > > internet.  Does anyone know of security issues surrounding this?
> >
> > 1. Their email will be visible as it flows over the Internet. An encrypted
> > connection protects this.
> >
> > 2. Their reusable password will be visable over the Internet unless you use
> > APOP authentication (not bulletproof, but better than a reusable password).
> >
> > 3. They must be educated against using the usual PC email stations at
> > conferences. These are wonderful places to find all sorts of email left
> > behind by people who both sent and received email using them.
> >
> > Fred
> > Avolio Consulting
> > 16228 Frederick Road, PO Box 609, Lisbon, MD 21765
> > 410-309-6910 (voice)                410-309-6911 (fax)
> > http://www.avolio.com
>
>       I am sure POP3 presents a huge PITA to many security administrators.
>       The problem can be split more or less into two:
>
>       1. Local use access
>       2. Remote office access, sales people on the road access.
>
>       For solution #1 you just simply put POP server behind firewall. It
>       gets however much more hairy when you have to deal with #2. There is
>       no great way around it IMHO. Considering that eMail is $$$ for most
>       companies, you can't just say "No POP" like you could say in the
>       case of telnet. One of the possible workarounds is to give traveling
>       salespeople dial up access into the network to check mail. With
>       remote offices (if you got a few and they are not large) one can 
>       put them onto the private frame relay and plug that frame relay as just
>       another part of your network. Then you got remote sales offices which 
>       you really don't want to trust as part of your network. *sigh*
>
>       I been told some window ssh clients can do port forwarding. If so,
>       just make everyone use RSA and you would be in a good shape...
>
>       There is gotta be an easy, secure solution to #2 .. anyone?
>
> -- Yan
>
> I don't have the password .... + Jan Koum 
> But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. 
> So if you've got the time .... | Web: http://www.best.com/~jkb
> Set the tone to sync ......... + OS: http://www.FreeBSD.org

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNmL5/T7msCGEppcbAQHmNQf/Uav6A/ntw2OGTwha7ldF5pSpBBM1NepP
6xlAbHR9Z0p0DFN8KT41uq2LNgSF8umgEQWlBuUYhJW34/4v23Ea//JBRcJuYmGG
4ZMIdwKwCvvXmn3dwHTgmeFlswrljWeV1STSCTNiI9Hp37nd/+wrvxfFkaQGTJ1i
ydqf+Z0C1xJZ9xr4+sRNdebZjHYdVTTcL0qVoZP82/o4O/FU+29Vs30oABLTXzpw
f7zWJxV+H8P9OwFgWpIKXN71n8j8/WpAd9CDQu4TdBW3JL5SmcBU36MC3GfYW2A2
dFLHMLJwKMFG8YgaEKXIjj43kNhHh5c8cBXK3P9nizVlE6pgQbdKXA==
=v8c0
-----END PGP SIGNATURE-----