[COMP] Secure POP

• From: John Madden <weez@xxxxxxxxxxxxxx>
• To: bsolway <bsolway@xxxxxxxxxxxxxx>, sewing <sewing@xxxxxxxxxxxxxx>, brunovdc <brunovdc@xxxxxxxxxxxxxx>, smckeown <smckeown@xxxxxxxxxxxxxx>, computers@xxxxxxxxxxxxxx, ccdennis@xxxxxxxxxxxxxxxxxx, ccfrank@xxxxxxxxxxxxxxxxxx
• Date: Sat, 27 Nov 1999 05:17:30 -0500

This is mostly intended for anyone with a POP3 email account on Avenir
web, but I figured I'd pass this on to everyone, since it's a pretty
cool concept.  This is for people that want to be able to securely
retrieve their email.  POP3 and IMAP are quite insecure means of
transferring mail, since everything is sent in plain text across the
network.  Same goes for FTP and Telnet, so altogether, 4 of the most
commonly used protocols are no good.  SSH replaces Telnet by simply
encrypting the connection between the two hosts, and provides secure
copying of files.  Here's how to fix POP3.

If you don't care about email security, or don't have access to a
unix/linux machine, you can stop reading now.  Note that the term 'email
security' is a misnomer, unless you also employ PGP or an equivalent.
The method below merely prevents password sniffing (from packet
sniffers) from compromising your POP account.  Especially if you're on a
large network, this is a real concern.

I mentioned awhile back that I was planning on implementing Secure POP3
access on the machine, and it turns out there wasn't really anything to
implement.  The ability to have secure POP3 (post office protocol --
that's how you retrieve mail from your mail server) is built right into
ssh, the secure shell package for Unix.  If ssh isn't available in your
country for export reasons, or if you're not able to use ssh for
licensing reasons, you can get openssh, based on OpenBSD (the most
secure OS) from openssh.org.  I've been using this for about a month now
with my account on Avenir web, and it's very cool.

Here's the basic idea: A port on your machine or a machine on a network
you trust (i.e., one on your hub at home :)) is 'forwarded' over an
encrypted channel to the POP port on the server you Pop your mail off
of.  The only unencrypted channel is between you and the machine on the
trusted network, or if you use your workstation, just the loopback
interface (which no one can really read from anyway).  To start the port
forward, I issue this (and I have to do it as root, since I just use
port 110, which being lower than 1000, needs root privilege to be set):

ssh -C -f weez@xxxxxxxxxxxxxx -L 110:avenir.dhs.org:110 sleep
1000000000000

Let's analyze that command.  'ssh' is the program we're running.  -C
gives us compression on the stream; very nice.  -f 'forks' into the
background, so it'll allow you to continue working, or close the xterm
you started it in, etc.  weez is my username, and avenir.dhs.org is the
POP server I'm connecting to.  -L means to listen on a port for incoming
connections.  110:avenir.dhs.org:110 means: listen on port 110 (the POP3
port), and forward anything that comes in to port avenir.dhs.org:110, or
the POP port on the POP Server.  sleep 100000... keeps the connection
alive for that number of seconds.  This is useful if you plan to check
your mail more than once. :)  Otherwise, you'd have to execute a sleep
15 or something, and do it everytime you want to check your mail.  Be
careful with this-- it keeps a connection alive with the server, which
is something the administrator might not like. :)  I don't care, and in
fact, I highly encourage you to use this method with your POP mail.  If
you don't have an account on Avenir web but would like one, please email
me off-list.

Once you've established the connection, you simply point your browser to
whatever host you executed the command on at whatever port you
specified.  For me, I tell Netscape Messenger to check mail on
'localhost,' and because it doesn't allow me to specify a POP port to
check on, I have to use port 110 on 'localhost.'  If you're using a
different machine on your trusted network, point your email client there
instead.  You may have to use a non-privileged (above 1000) port, and to
keep the connection alive, you should get your administrator's approval
first.

I learned how to do this from the POP+SSH howto, which can be found at
http://metalab.unc.edu/pub/Linux/docs/howto/mini/Secure-POP+SSH .  Of
course, feel free to post back if you've got questions or run into
problems.

John



--
# John Madden  weez@xxxxxxxxxxxxxx ICQ: 2E68EA
# Sys-Admin / Webmaster, Avenir Web: http://avenir.dhs.org
# LANdb: Network Admin Database --  COMP Mailing List: Linux & Windows
# The NAN Project: Neighborhood Networks -- Tech Support Database



========================================
Avenir Web's Computers Mailing List

List Modes, Subscription, and General Info:
Go to http://avenir.dhs.org/mailing.html
List Archives: http://avenir.dhs.org/archives/
Administrative Contact: webmaster@xxxxxxxxxxxxxx

Get computer help: http://avenir.dhs.org
========================================

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription