Newbie setting up a pop server

Hello All,

I am seeking advice in setting a secure pop server. My goal is
to have no clear text transmission and also a secure transfer from
client to server and server to client. I am currently running redhat 9
and have this layout in mind. I would have qpopper as the server (or
the default server for redhat which I think is ipop3d?), and use a
stunnel wrap to enycrpt my pop3 port (995), which uses the openssl
library from what I read. Now for the questions.
First off I am not sure what the difference between qpopper and the
default ipop3d? Is there an conflict with ipop3d and openssl? Next are
there any security flaws in my layout, or maybe complications/
conflictions with these programs?
Lastly is the reason for qpopper instead of ipop3d because qpopper
supports APOP which can be used to encrypt user passwords??
Any help would be great, I am very confused.
Thanks in advance
-Barry

Barry wrote:

> Hello All,
>
> I am seeking advice in setting a secure pop server. My goal is
> to have no clear text transmission and also a secure transfer from
> client to server and server to client. I am currently running redhat 9
> and have this layout in mind. I would have qpopper as the server (or
> the default server for redhat which I think is ipop3d?), and use a
> stunnel wrap to enycrpt my pop3 port (995), which uses the openssl
> library from what I read. Now for the questions.

Don't bother. The wu-imapd based imap distribution in RedHat 9 includes
ipop3d, which incorporates SSL compatibility directly into the daemon.
Just run "chkconfig pop3s" and "service xinetd restart", and you should
be up and running.

> First off I am not sure what the difference between qpopper and the
> default ipop3d? Is there an conflict with ipop3d and openssl? Next are
> there any security flaws in my layout, or maybe complications/
> conflictions with these programs?

Just that you're adding new components that you don't need to do a job
that is already more easily accomplished. Mind you, there are other
reasons to dislike the wu-imapd, but those are mostly IMAP reasons
involving where it thinks your email is stored.

> Lastly is the reason for qpopper instead of ipop3d because qpopper
> supports APOP which can be used to encrypt user passwords??
> Any help would be great, I am very confused.
> Thanks in advance
> -Barry

I'm not sure why you want qpopper. Try pop3s and see if it works.

"Nico Kadel-Garcia" <nkadel@verizon.net> wrote in message
news:_IXJa.2763$QN3.1357@nwrdny03.gnilink.net...
> Barry wrote:
>
> > Hello All,
> >
> > I am seeking advice in setting a secure pop server. My goal is
> > to have no clear text transmission and also a secure transfer from
> > client to server and server to client. I am currently running redhat 9
> > and have this layout in mind. I would have qpopper as the server (or
> > the default server for redhat which I think is ipop3d?), and use a
> > stunnel wrap to enycrpt my pop3 port (995), which uses the openssl
> > library from what I read. Now for the questions.
>
> Don't bother. The wu-imapd based imap distribution in RedHat 9 includes
> ipop3d, which incorporates SSL compatibility directly into the daemon.
> Just run "chkconfig pop3s" and "service xinetd restart", and you should
> be up and running.
>
> > First off I am not sure what the difference between qpopper and the
> > default ipop3d? Is there an conflict with ipop3d and openssl? Next are
> > there any security flaws in my layout, or maybe complications/
> > conflictions with these programs?
>
> Just that you're adding new components that you don't need to do a job
> that is already more easily accomplished. Mind you, there are other
> reasons to dislike the wu-imapd, but those are mostly IMAP reasons
> involving where it thinks your email is stored.
>
> > Lastly is the reason for qpopper instead of ipop3d because qpopper
> > supports APOP which can be used to encrypt user passwords??
> > Any help would be great, I am very confused.
> > Thanks in advance
> > -Barry
>
> I'm not sure why you want qpopper. Try pop3s and see if it works.
>

FYI:

Recompiling from source is necessary in RH9 if you are going to use
SquirrelMail as a webmail interface. AUTH=LOGIN needs to be enabled for
Squirrely to work. Make sure you have OpenSSL installed.

The simplest solution is change SSLTYPE to:

SSLTYPE=unix

and compile using

make lnp

The reason I mention this is you can ALSO change where WU thinks your mail
is by modifying <pathtocode>/src/osdep/unix/env_unix.c from

static char *myMailboxDir = NIL to static char *myMailboxDir = "mail"

or whatever.

Then add this default directory to /etc/skel for new users.

You IMAP folders will then exist in ~/mail

ken k

Kenneth A Kauffman wrote:

> "Nico Kadel-Garcia" <nkadel@verizon.net> wrote in message
> news:in7Ka.14952$Kg7.14651@nwrdny01.gnilink.net...

>
> **********************
> Ah. I think that I use the 'save' option in the mail.rc which gets around
> this. Can't quite remember what the setting is. I just don't use mboxes
> since its a home box. I'll need to look into this as I certainly don't want
> to keep everything in queue on production systems.

It's not enabled by default in the RedHat RPM, you do need to patch the
spec file and recompile to disable a RedHat patch to restore this
behavior. You also need to "touch ~username/mbox; chmod 600
~username/mbox" to start it being used. The use of mbox also causes
oddness with clients who may, for example, be allowed to NFS mount
/var/spool/mail, but they can just learn to use IMAP. If you're allowing
NFS mounts of /var/spool/mail, you have a lot more security issues than
I want to think about.

> **********************
> Interesting rant :)

Yeah, it's an old sore point.