Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: David Lang <dlang () diginsite com>
Date: Mon, 30 Nov 1998 12:03:07 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- use IMAP (idealy IMAP through SSL for the remote users which outlook and netscape both support). This leaves the mail on the server whereever you read it from (yes, that does eat up disk space on the server, but that is easy to monitor and fix). and also reduces your network traffic. David Lang On Sun, 29 Nov 1998, Jan B. Koum wrote:
Date: Sun, 29 Nov 1998 22:57:37 -0800 From: Jan B. Koum <jkb () best com> To: Frederick M Avolio <fred () avolio com>, mreiter () gwillness osd mil,
firewall-wizards () nfr net
Subject: Re: POP3 Security Issues On Fri, Nov 27, 1998 at 01:10:42PM -0500, Frederick M Avolio <fred () avolio com> wrote:At 08:55 AM 11/16/98 -0500, mreiter () gwillness osd mil wrote:My users want to use POP3 over the internet to access their e-mail through our firewall. There is a POP3 proxy built in to the firewall (not currently on), but I am leery of ANY access through the firewall over the internet. Does anyone know of security issues surrounding this?1. Their email will be visible as it flows over the Internet. An encrypted connection protects this. 2. Their reusable password will be visable over the Internet unless you use APOP authentication (not bulletproof, but better than a reusable password). 3. They must be educated against using the usual PC email stations at conferences. These are wonderful places to find all sorts of email left behind by people who both sent and received email using them. Fred Avolio Consulting 16228 Frederick Road, PO Box 609, Lisbon, MD 21765 410-309-6910 (voice) 410-309-6911 (fax) http://www.avolio.comI am sure POP3 presents a huge PITA to many security administrators. The problem can be split more or less into two: 1. Local use access 2. Remote office access, sales people on the road access. For solution #1 you just simply put POP server behind firewall. It gets however much more hairy when you have to deal with #2. There is no great way around it IMHO. Considering that eMail is $$$ for most companies, you can't just say "No POP" like you could say in the case of telnet. One of the possible workarounds is to give traveling salespeople dial up access into the network to check mail. With remote offices (if you got a few and they are not large) one can put them onto the private frame relay and plug that frame relay as just another part of your network. Then you got remote sales offices which you really don't want to trust as part of your network. *sigh* I been told some window ssh clients can do port forwarding. If so, just make everyone use RSA and you would be in a good shape... There is gotta be an easy, secure solution to #2 .. anyone? -- Yan I don't have the password .... + Jan Koum But the path is chainlinked .. | Spelled Jan, pronounced Yan. There. So if you've got the time .... | Web: http://www.best.com/~jkb Set the tone to sync ......... + OS: http://www.FreeBSD.org
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNmL5/T7msCGEppcbAQHmNQf/Uav6A/ntw2OGTwha7ldF5pSpBBM1NepP 6xlAbHR9Z0p0DFN8KT41uq2LNgSF8umgEQWlBuUYhJW34/4v23Ea//JBRcJuYmGG 4ZMIdwKwCvvXmn3dwHTgmeFlswrljWeV1STSCTNiI9Hp37nd/+wrvxfFkaQGTJ1i ydqf+Z0C1xJZ9xr4+sRNdebZjHYdVTTcL0qVoZP82/o4O/FU+29Vs30oABLTXzpw f7zWJxV+H8P9OwFgWpIKXN71n8j8/WpAd9CDQu4TdBW3JL5SmcBU36MC3GfYW2A2 dFLHMLJwKMFG8YgaEKXIjj43kNhHh5c8cBXK3P9nizVlE6pgQbdKXA== =v8c0 -----END PGP SIGNATURE-----
Current thread:
- Re: POP3 Security Issues, (continued)
- Re: POP3 Security Issues Nicholas Brawn (Dec 03)
- Re: POP3 Security Issues Adam Shostack (Dec 03)
- Re: POP3 Security Issues Dave Roberts (Dec 03)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 02)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Pedro A M Vazquez (Dec 04)
- Re: POP3 Security Issues Crispin Cowan (Dec 03)
- Re: POP3 Security Issues Markus Friedl (Dec 03)
- Re: POP3 Security Issues dreamwvr (Dec 01)
- Re: POP3 Security Issues Frederick M Avolio (Dec 01)
- Re: POP3 Security Issues Mookie (Dec 02)
- Re: POP3 Security Issues David Lang (Dec 01)
- Re: POP3 Security Issues Rodney van den Oever (Dec 01)
- Re: POP3 Security Issues Christopher Nielsen (Dec 02)
- Re: POP3 Security Issues Bruce B. Platt (Dec 01)
- Re: POP3 Security Issues Lart (Dec 01)
- Re: POP3 Security Issues Rick Murphy (Dec 01)
- Re: POP3 Security Issues ark (Dec 02)
- Re: POP3 Security Issues Joe LoBianco (Dec 02)