Re: Looking for "lease based popper access"

[Crispin Cowan <crispin () cse ogi edu>]

sedwards () sedwards com wrote:

> This works pretty good for most services except POP. Traveling employees
> need to get to their email from where ever they are.

Agreed.


> What I'm looking for is something where an employee can get a temporary
> "lease" to access POP from their current IP address.

This is exactly what you *don't* want to do.  If you enable this, then the
attacker with an ability to spoof IP addresses can break into arbitrary mail
boxes.

What you want is real authentication for road warrior e-mail access.  Use
either SSH or SSL.  I personally use SSH.  Put an SSH daemon on the mail
server, and clients use SSH clients to tunnel the POP and SMTP ports from
their mobile laptop to the mail server.  For Windows clients, the SSH
commerical product from Data Fellows does the trick.  For Linux clients, a
script like this with the free SSH client works:

#!/bin/sh
ssh -C -l crispin -f \
        -L 6666:your.mail.server:110 \
        -L 6667:your.mail.server:25 \
        your.mail.server xbiff -geom +17+690

Then just tell the mail client that e-mail access goes through localhost:6666
and localhost:6667 (or pick your favorite port numbers).

The "xbiff" keeps the ssh tunnel open, and as an added bonus gives you a ring
when new e-mail arrives.

SSL crypto & authentication gives you essentially similar security
properties, but I am unfamiliar with the details of setting it up.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org