Things look quiet here. But I've been doing a lot of blogging at
dan.langille.org because I prefer WordPress now.
Not all my posts there are FreeBSD related.
I am in the midst of migrating The FreeBSD Diary over to WordPress
(and you can read about that here).
Once the migration is completed, I'll move the FreeBSD posts into the
new FreeBSD Diary website.
The Post Office Protocol (POP) can be used to obtain your mail from a
remote server. Mail can be delivered to a central location and everyone retrieves
their mail from that box. This is fine over a trusted network (e.g. your home LAN).
But over an untrusted network (e.g. the Internet), this is unsuiteable. The
password is transferred in clear text. APOP elminates the clear text password issue by
using a shared secret.
I'll show how I installed qpopper and then set up the APOP
I started reading man qpopauth. Guessing, I did the
# qpopauth -init
# qpopauth -user dan
Changing only APOP password for dan.
Retype new password:
# qpopauth -list ALL
dan: APOP SCRAM
The password I set above is what is known as the "shared secret".
That's what you set in your APOP client.
NOTE: if you add a user to the database, they must use APOP. They cannot use plain POP.
If they try to use plain POP, they will be told their password is incorrect.
Don't forget to allow qpooper access via /etc/hosts.allow.
Here's what I added to my file. Adjust for your domain.
qpopper : .example.org allow
This will allow anyone from example.org to use qpopper. They
will still have to authenticate as usual (user id, password, shared secret).
A word of caution
APOP doesn't secure your mail messages. All it does is secure your
password. Your mail message will still be downloaded in clear text. But that's
not really a security issue. Chances are, your mail was delivered to your mail server in
clear text too. Only you can decide if APOP is appropriate to your location.
stunnel31 March 2001
Felipe Gustavo de Almeida wrote in to say that stunnel encrpts
all POP data.
Have a read of this from /usr/ports/security/stunnel/pkg-descr:
The stunnel program is designed to work as SSL encryption wrapper between remote
client and local (inetd-startable) or remote server. The concept is that having non-SSL
aware dae- mons running on your system you can easily setup them to communicate with
clients over secure SSL channel. stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs'
popautd4 April 2001
Rob Hudson wrote in to say:
There is an excellent article about authenticating users for mail relaying when they
check their email via POP. Complete with perl scripts, etc.