Firewall Wizards mailing list archives
Re: APOP and qpopper2.4, how safe?
From: Dave Roberts <dave.roberts () saaconsultants com>
Date: Tue, 9 Dec 1997 14:05:47 +0000 (GMT)
On Mon, 8 Dec 1997, Marc Goldburg wrote:
One option would be to have these people get accounts with local ISP's and then use APOP over the internet to retrieve their mail. At our central site, plug-gw from the TIS FWTK would be used on a machine in our DMZ to forward POP requests to a mail server behind the firewall (this seems safer than mirroring mail spools on a DMZ machine). Since we use pop internally, I'd probably have the plug-gw connect to non-standard POP port on the mail server where there'd be running a version of qpopper which only authenticated via APOP and only for our remote users.
Been thinking about this myself. If you know who your remote users are going to be, and you want to set up qpopper to be APOP only for them, then you could have another machine on the DMZ for dealing with their mail only - providing you have the hardware kicking about. This gets rid of having a plug-gw relaying the traffic for you in any direction. This has to be the best option. Another option would be to put all mail onto a DMZ machine. (Just giving ideas). Thinking about this.... if your remote users are coming in, plug-gw through to an internal machine, then the server software has a bug in it, and that gets exploited, the external bad person has broken an internal machine. Internal users would have to go to the outside, but - well, pros and cons I guess. Something you could do in any of these situation to improve the confidentiality of the mail, would be to use procmail to filter the message through PGP before depositing the ciphertext into the users mailbox. But you could also argue that the mail has already come across the net in plaintext - is it worth concealing it for the second journey? If you use the approach of having a separate machine on the DMZ, then the encryption could be done on the inside before being passed back out to the external POP3 server, giving your keyring a safer place to live. Just some ideas. -- Dave Roberts For PGP Key - send mail with subject of 'get pgp':- Firewall Chappie =51 4B 6A 35 3F C4 B6 3D 13 88 0C B2 48 61 51 1C= SAA Consultants Ltd Std disclaimer applies, it's nothing to do with them
Current thread:
- APOP and qpopper2.4, how safe? Marc Goldburg (Dec 08)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 09)
- Re: APOP and qpopper2.4, how safe? daemond (Dec 11)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 11)
- Re: APOP and qpopper2.4, how safe? daemond (Dec 11)
- Re: APOP and qpopper2.4, how safe? Dave Roberts (Dec 09)