The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

qpopper with APOP 30 March 2001
Need more help on this topic? Click here
This article has no comments
Show me similar articles
The Post Office Protocol (POP) can be used to obtain your mail from a remote server.  Mail can be delivered to a central location and everyone retrieves their mail from that box.  This is fine over a trusted network (e.g. your home LAN).   But over an untrusted network (e.g. the Internet), this is unsuiteable.  The password is transferred in clear text. APOP elminates the clear text password issue by using a shared secret.

I'll show how I installed qpopper and then set up the APOP database.

You will need an APOP capable client.

Install
Since I have the entire ports tree installed, all I needed to do was:
/usr/ports/mail/qpopper
make install

Then I added the following line to /etc/inetd.conf:

pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s

Then I restarted inetd:

killall -HUP inetd

The APOP database
I started reading man qpopauth.  Guessing, I did the following steps:

# qpopauth -init
# qpopauth -user dan
Changing only APOP password for dan.
New password:
Retype new password:
# qpopauth -list ALL
dan: APOP SCRAM

The password I set above is what is known as the "shared secret".   That's what you set in your APOP client.

NOTE: if you add a user to the database, they must use APOP. They cannot use plain POP. If they try to use plain POP, they will be told their password is incorrect.

/etc/hosts.allow

Don't forget to allow qpooper access via /etc/hosts.allow. Here's what I added to my file. Adjust for your domain.

qpopper : .example.org allow

This will allow anyone from example.org to use qpopper. They will still have to authenticate as usual (user id, password, shared secret).

A word of caution
APOP doesn't secure your mail messages.  All it does is secure your password.  Your mail message will still be downloaded in clear text.  But that's not really a security issue. Chances are, your mail was delivered to your mail server in clear text too.  Only you can decide if APOP is appropriate to your location.
stunnel 31 March 2001
Felipe Gustavo de Almeida wrote in to say that stunnel encrpts all POP data.

Have a read of this from /usr/ports/security/stunnel/pkg-descr:

The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware dae- mons running on your system you can easily setup them to communicate with clients over secure SSL channel. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.

WWW: http://www.stunnel.org/

popautd 4 April 2001
Rob Hudson wrote in to say:

There is an excellent article about authenticating users for mail relaying when they check their email via POP. Complete with perl scripts, etc.

http://straylight.primelogic.com/popauthd/


Share
Need more help on this topic? Click here
This article has no comments
Show me similar articles