Re: POP3 Security Issues

[Crispin Cowan <crispin () cse ogi edu>]

Pedro A M Vazquez wrote:

>  Mon, Nov 30, 1998 at 01:18:26PM -0600, Rick Smith wrote:
> > At 11:43 AM 11/27/98 -0800, Jason Axley wrote:
> > > There isn't any security in POP3.  Unless you are using POP3 over SSL to
> > > encrypt the data,
> >
> > I like the idea of using SSL, and I can see how it would be a pretty simple
> > rearrangement of software already available in today's bloated browser/mail
> > reader products. But is this something that's really out there as a
> > product, or do people have to roll their own?
> You may want to look for things like bjorb and stunnel
>
> http://www.hitachi-ms.co.jp/bjorb/en/
> http://mike.daewoo.com.pl/computer/stunnel/
>
> Pedro

I use SSH to tunnel my POP3 traffic.  To do this, you need sshd running on the
POP3 mail server, and an ssh client on the client machine.  This one-line
command creates a tunnel from my local port 6666 (arbitrarily chosen) to the POP
host's port 110.  I then tell my mail client (Netscape, in my case) to fetch
mail via POP3:6666, and SSH transparently transmits that to the remote
POP server's appropriate port.

#!/bin/sh
ssh -l crispin -f -L  6666:mailhost.cse.ogi.edu:110 mailhost.cse.ogi.edu sleep
30000

The "sleep 30000" keeps the tunnel open for 30,000 seconds (about 8 hours, my
work day (hah!-)).

You can get SSH from http://www.ssh.fi.  For extra security against overflow
attacks, you can get StackGuard-protected SSH from me here:
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/ssh.html (US & Canada
residents only--don't export controls suck?)

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98