Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: reynhout () quesera com
Date: Fri, 27 Nov 1998 17:11:28 -0500 (EST)
mreiter () gwillness osd mil writes:
My users want to use POP3 over the internet to access their e-mail through our firewall. There is a POP3 proxy built in to the firewall (not currently on), but I am leery of ANY access through the firewall over the internet. Does anyone know of security issues surrounding this?
You're definitely right to be concerned. Unless you use an authenticated POP protocol, passwords are in cleartext which can be an issue because people don't always take sensible precautions regarding reusing passwords. Mail itself is also unencrypted, so internal mail (which might have higher expectations of net.safety) would be passed over the unwashed internet when your users read it. There was an overflow in an old version of Qualcomm's popper program that involved a remote root shell. This has been fixed in recent versions, but the potential always exists. Perhaps a compromise would be to get a list (hopefully short) of users who need this, and push their mail out to a DMZ host running a POP3 server. Use rsync over ssh to move the mail files, and it would be low bandwidth, safe, and open up no holes INTO the firewall. (Fetchmail wouldn't help here because it only works as a pull mechanism.) The DMZ POP host would be a sacrificial lamb sort of thing. Expect it to get extra attention from the curious masses, and make sure the users understand the vulnerabilities to their mail and to the POP server (and the corresponding service level guarantees). You also might want to check around for a site security policy, because I can't imagine that this would be permitted if one exists. VPN (or equivalent infrastructure with a different buzzword) is really the only way to feel comfortable about this. Problems like this are perfect applications for SKIP. Someday. Good luck, Andrew reynhout () quesera com
Current thread:
- POP3 Security Issues mreiter (Nov 27)
- Re: POP3 Security Issues Jason Axley (Nov 29)
- Re: POP3 Security Issues Nicholas Brawn (Nov 30)
- Re: POP3 Security Issues klynn (Nov 30)
- Re: POP3 Security Issues Frederick M Avolio (Nov 29)
- Re: POP3 Security Issues Jan B. Koum (Nov 30)
- Re: POP3 Security Issues Ian Poynter (Nov 29)
- <Possible follow-ups>
- Re: POP3 Security Issues Steven M. Bellovin (Nov 29)
- Re: POP3 Security Issues reynhout (Nov 29)
- Re: POP3 Security Issues Jason Axley (Nov 29)