Re: POP3 Security Issues

[Lart <lart () hacksec org>]

Nicholas Brawn wrote:
> Speaking of pop3 over SSL, is anyone aware of mail clients or pop3
> retrievers (Unix and/or Windows) that support it? The reason I'm asking
> is that i've recently plugged SSL into qpopper (2.53), and want to know
> whether I need to patch something like fetchmail, or whether there's
> something out there already that will do the job.

POP3/SSL is supported by Netscape, and M$ Outlook (98|Express).  Those
are the only ones I know of, I'd be surprised if someone hasn't hacked a
way for GNUs or mutt to do this yet using SSLeay...

Rather than lock users into one of 3 mail clients, I've deployed
solutions that look something like this:


Internal                                          External
Network -----------------Firewall---------------- Network
                            |
                            |
                            |
                            |
                            |
                ---------------------------
                |                         |
                |                         |
                |                         |
              *nix                      SMTP
               ssh                      POP3
             gateway                    IMAP
                                        LDAP

Users connect to the ssh gateway in the DMZ, and set up port forwards
that look like:

Local Port      Remote Server   Remote Port
-------------------------------------------
25              mail-server     25
110             mail-server     110
143             mail-server     143
389             mail-server     389

Users now connect to 127.0.0.1:(25|110|143|389) for mail services.

On the mail server, run your popper out of tcpserver (from Dan
Bernstein's UCSPI-TCP package), rather than inetd w/tcpd.  Set up your
cdb rules as (assuming your internal network is 192.168.10.0/24):

ip.of.ssh.gateway:accept
192.168.10.:accept
:deny

Invoke tcpserver as:

tcpserver -R -c100 -u0 -g0 -x/etc/tcp.pop3.cdb 0 \
    pop3 /usr/sbin/qpopper &

Please, make SURE you have up to date imapd sources, that have been
patched to prevent the exploits previously published.

Rules for FW-1 to do this the way I've set it up would be:

1. Any          mail-server     smtp    Accept
2. Any          ssh-gw          ssh     Accept

Of course, you'd need to define 22/tcp as the service "ssh".

What else does this type of configuration allow for?  It makes it really
easy to accomodate remote users using an ISP for mail.  Rather than
leaving the mail server wide open, or doing POP3 before SMTP hacks, or
any other magic, now all of your users' SMTP connections will originate
from the ssh gateway machine.

--lart