Auth/system-auth & POP3 daemon

bscott at ntisys.com bscott at ntisys.com
Tue Aug 24 22:07:00 EDT 2004 

On Tue, 24 Aug 2004, at 2:39pm, brian at datasquire.net wrote:
> Exactly. But... Why would it work fine over one interface but time out on
> the other?  xinetd is not bound to any specific interface.

  I doubt it has anything to do with the interfaces involved, but rather,
the networks (and firewalls and routers and filters (Oh my!) between you and
the other system.

  Let's say your server is named Giant and your client is named Tiny.

  You see, nominally, if Tiny does not support AUTH (i.e., Tiny is not
running identd or an equivalent), then there will be nothing listening on
TCP port 113 on Tiny.  If xinetd on Giant sends an AUTH request to Tiny,
then Tiny will respond with an ICMP "Destination Port Unreachable" message.  
xinetd on Giant then knows that it is not going to get an AUTH response, and
continues without the username.

  But suppose Tiny is out in the great big world.  Any number of ISP
routers, home NAT boxes, corporate firewalls, or network gremlins may drop
the AUTH request, or drop the ICMP "Destination Port Unreachable" response.  
(There are a lot of IWFs who think ICMP is a hacking tool.  *sigh*)

  So now, when Giant sends an AUTH request to Tiny, it gets... nothing...  
back.  So xinetd on Giant has to sit there for 30 seconds (or whatever),
until it times out, and assumes it is never going to get a response, one way
or the other.

On Tue, 24 Aug 2004, at 2:55pm, brian at datasquire.net wrote:
> Now the only possible setting I know of that might do this is (from
> /etc/xinetd.d/ipop3):
>
>          log_on_success          += USERID
>
> Could this be it?

  Absolutely.

> If so, how can I continue to log the userid without the auth request?

  xinetd cannot log the user ID without AUTH.  However, chances are, xinetd
will not be able to log the user ID even *with* AUTH.  Most systems don't
support AUTH these days.  Even if they did support it, AUTH is *completely*
untrustworthy.  All it does is ask the other system "Who are you?" and take
whatever the other system says as law.  You might as well just filter the
evil bit in your routers (see RFC-3514).

  So, basically, forget about xinetd logging the user ID.

  Your POP3 daemon, however, presumably requires a username and password.  
Those are much harder to fake.  I expect your POP3 daemon logs whatever
details about user authentication it gets.  So don't worry about xinetd
logging the user ID anyway; it's the wrong tool for that job.

  Of course, ordinary POP3 is still clear-text, meaning the
username/password are easily sniffed, and most email is hideously insecure
anyway.  But hey, you have to start somewhere.  :)

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list