Re: POP3 Security Issues

[Nicholas Brawn <ncb () okugi com>]

On Wed, 2 Dec 1998, Doug Hughes wrote:
>  Jason Axley wrote:
> > As for Nicholas Brawn's question about other clients (including
> > fetchmail), I don't know of any, but I haven't looked.  Did you roll
> > the SSL into qpopper yourself, or are patches readily available for
> > that?  Does it use SSLeay?  I'm interested!

I must have missed Jason's earlier email. Yes it does use SSLeay, I wrote
the patches myself, and best of all - i'm not located in the US. :)

[snip]
> I'm interested in the SSL -> qpopper integration as well. I hadn't seen
> this before.

The current implemenation of mine is very "hacky". I initially set it up
so that the server listens for incoming SSL connections, and failing that,
switches to a non-SSL connection. The problem with that is that it
requires the mail clients/retrievers to effectively "test" the server.
However we want the server to be smart, not the client. My current version
runs in either SSL or non-SSL mode, and displays something along the lines
of "Non-SSL connections are not allowed" before disconnecting when someone
tries to retrieve mail over a non-SSL connection. 

> --
> ____________________________________________________________________________
> Doug Hughes                                   Engineering Network Services
> System/Net Admin                              Auburn University
>                       doug () eng auburn edu

Cheers,
Nick