Auth/system-auth & POP3 daemon

Brian Chabot brian at datasquire.net
Wed Aug 25 02:12:01 EDT 2004 

bscott at ntisys.com wrote:

>   But suppose Tiny is out in the great big world.  Any number of ISP
> routers, home NAT boxes, corporate firewalls, or network gremlins may drop
> the AUTH request, or drop the ICMP "Destination Port Unreachable" response.  
> (There are a lot of IWFs who think ICMP is a hacking tool.  *sigh*)

*sigh*, indeed.  ICMP is also an amazing tool for looking at network 
statistics and monitoring the connectivity of remote systems.

>   So now, when Giant sends an AUTH request to Tiny, it gets... nothing...  
> back.  So xinetd on Giant has to sit there for 30 seconds (or whatever),
> until it times out, and assumes it is never going to get a response, one way
> or the other.

That's what I thought was going on, but really I wasn't sure.  it felt 
more like a hunch than a conslusion. Thanks for the corroboration.

>>         log_on_success          += USERID
>>
>>Could this be it?
> 
> 
>   Absolutely.

[snip]

>   So, basically, forget about xinetd logging the user ID.
> 
>   Your POP3 daemon, however, presumably requires a username and password.  
> Those are much harder to fake.  I expect your POP3 daemon logs whatever
> details about user authentication it gets.  So don't worry about xinetd
> logging the user ID anyway; it's the wrong tool for that job.

Gotchya.

>   Of course, ordinary POP3 is still clear-text, meaning the
> username/password are easily sniffed, and most email is hideously insecure
> anyway.  But hey, you have to start somewhere.  :)

As I said in my original post, it's not my choice.  I much prefer secure 
imap and a disk qouta.  My client insists their users need POP3.  They 
have been warned.  I wonder if I can disable POP3 on accounts with sudo 
access... kind of like the ftp.users file or something.  I'll have to 
look into that idea...

Any way, thank you.  I'm still waiting to hear from the end user to see 
if the problem is resolved.

Brian
-- 
---------------------------------------------------------------
|   brian at datasquire.net            http://www.hirebrian.net  |
|                Simply the Best IT/MIS Manager               |
|          Self-taught, Fast Learner, and Team Player         |
|            Ready to Start TODAY at Your Company.            |
---------------------------------------------------------------

More information about the gnhlug-discuss mailing list