Firewall Wizards mailing list archives
Re: POP3 Security Issues
From: "Steven M. Bellovin" <smb () research att com>
Date: Fri, 27 Nov 1998 12:18:08 -0500
In message <852566BE.004C1A48.00 () gwillness osd mil>, mreiter () gwillness osd mil writes:
My users want to use POP3 over the internet to access their e-mail through our firewall. There is a POP3 proxy built in to the firewall (not currently on), but I am leery of ANY access through the firewall over the internet. Does anyone know of security issues surrounding this?
There are two sets of issues, generic POP3 protocol issues and implementation questions. For the latter, there have been buffer overflow problems in some POP3 servers; for whatever you're running, make sure that you have the latest client. (I have no idea if your firewall's POP3 proxy actually does anything to guard against such attacks.) A bigger issue is authentication -- POP3 by default uses plaintext passwords. Token-based authenticators are not suitable for general use, since lots of clients ask for the password once and use it for polls every few minutes. If you do enable it, make sure that you use APOP, an authentication mechanism that uses challenge/response.
Current thread:
- POP3 Security Issues mreiter (Nov 27)
- Re: POP3 Security Issues Jason Axley (Nov 29)
- Re: POP3 Security Issues Nicholas Brawn (Nov 30)
- Re: POP3 Security Issues klynn (Nov 30)
- Re: POP3 Security Issues Frederick M Avolio (Nov 29)
- Re: POP3 Security Issues Jan B. Koum (Nov 30)
- Re: POP3 Security Issues Ian Poynter (Nov 29)
- <Possible follow-ups>
- Re: POP3 Security Issues Steven M. Bellovin (Nov 29)
- Re: POP3 Security Issues reynhout (Nov 29)
- Re: POP3 Security Issues Jason Axley (Nov 29)