Hi, one of our clients wants to read his mailaccount with SMTP instead of POP3. Question one: What has to be changed/modified to prepare our server for this ? Question two (thats why I post to this list): It's told that this solution has some security-holes. What are these holes and how can the security be increased ? Is there a bug (for which a bugfix exists ?) in the smtpd or what ? BTW: Running SuSE-Linux 6.0 TIA. --- Stephan
On Mon, Nov 29, 1999 at 08:07 +0100, Security Webmaster OKDesign oHG wrote:
one of our clients wants to read his mailaccount with SMTP instead of POP3. Question one: What has to be changed/modified to prepare our server for this ?
Have a look at the fetchmail(1) manpage. There's an option to use the SMTP ETRN command to "fetch" mail. But I don't know anything about the parameters involved and such. I'm sure the smtp daemon has to support this command, too (open up a "telnet mailhost smtp" and ask for "HELP" or go and read RFC822 and its successors).
Question two (thats why I post to this list): It's told that this solution has some security-holes. What are these holes and how can the security be increased ? Is there a bug (for which a bugfix exists ?) in the smtpd or what ?
I cannot see any benefit from one method over the other. Both of them are cleartext although both could be tunneled via SSL or ssh. POP might use APOP for authentication, but this won't help when transfering the messages -- it's just that: encrypted auth. When you're uncomfortable with this situation, use pgp and other of these methods which fit into today's topology seemlessly. virtually yours - Gerhard Sittig -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Gerhard Sittig wrote:
On Mon, Nov 29, 1999 at 08:07 +0100, Security Webmaster OKDesign oHG wrote:
Question two (thats why I post to this list): It's told that this solution has some security-holes. What are these holes and how can the security be increased ? Is there a bug (for which a bugfix exists ?) in the smtpd or what ?
Everybody talks about the possible security risks with sendmail. I think it's the exact opposite. The fact a large number of people are running sendmail and a large number of crackers are trying to break it means fixes are usually quick. You just need to stay up with a current version. Other MTA may have less people trying to break in but that can also mean people don't find out about cracks. Just my IMHO. Nick -- -------------------------------------------------- Nick Zentena "Microsoft has unjustifiably jeopardized the stability and security of the operating system." U.S. District Judge Thomas Penfield Jackson Nov 5/1999 --------------------------------------------------
participants (3)
-
Gerhard Sittig -
Nick Zentena -
Security Webmaster OKDesign oHG