Re: POP3 Security Issues

["Steven M. Bellovin" <smb () research att com>]

In message <852566BE.004C1A48.00 () gwillness osd mil>, mreiter () gwillness osd mil 
writes:
> My users want to use POP3 over the internet to access their e-mail through
> our firewall.  There is a POP3 proxy built in to the firewall (not
> currently on), but I am leery of ANY access through the firewall over the
> internet.  Does anyone know of security issues surrounding this?
There are two sets of issues, generic POP3 protocol issues and implementation
questions.  For the latter, there have been buffer overflow problems in
some POP3 servers; for whatever you're running, make sure that you have the
latest client.  (I have no idea if your firewall's POP3 proxy actually does
anything to guard against such attacks.)

A bigger issue is authentication -- POP3 by default uses plaintext passwords.
Token-based authenticators are not suitable for general use, since lots
of clients ask for the password once and use it for polls every few minutes.
If you do enable it, make sure that you use APOP, an authentication mechanism
that uses challenge/response.