Date: Tue, 29 Dec 2009 13:55:14 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Anton Shterenlikht <mexas@bristol.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: fetchmail and plain text password Message-ID: <20091229125514.GA27042@slackbox.xs4all.nl> In-Reply-To: <20091229111150.GA15440@mech-cluster241.men.bris.ac.uk> References: <20091228151553.GA7478@mech-cluster241.men.bris.ac.uk> <20091228173515.GA27630@slackbox.xs4all.nl> <20091229111150.GA15440@mech-cluster241.men.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Dec 29, 2009 at 11:11:50AM +0000, Anton Shterenlikht wrote: > >=20 > > With these changes, only you and the superuser can read that file.=20 >=20 > yes, an attacker gaining superuser access is my worry. > I'm reading Garfinkel and Spafford (1996) Practical UNIX & internel secur= ity > (a bit out of date, I know. I ordered the 3rd edition, 2003), > and I realised there are a lot of potential security issues, of which > I wasn't aware. Things like SUID/SGID files could be an issue, > and lots of other things. If an attacker gains superuser privilege, you're screwed. But remote attacks are the least of your worries, IMHO. If an attacker has physical access to your machine, he can simply rip out the harddisk an peruse its contents at his leasure. That is why you need disk encryption. Or he could put a hardwa= re keylogger between your keyboard and the computer to gat your passwords. So,=20 1) Make sure that the room where your machine is located can be and is locked when you are away, denying attackers physical access. 2) Encrypt those partitions that contain sensitive data using geli(8), in c= ase (1) fails. After that you can start worrying about remote attacks.=20 3) Activate a firewall that is set up to deny incoming connections be default, unless they go to a port that is allowed.=20 4) If you need to run servers, consider running them in a jail(8) or at lea= st in a chroot(8) environment. Look e.g. how it is done for named(8), see /etc/rc.d/named.=20 > > I'd be more worried that your password is sent as plaintext over the ne= twork > > using e.g. POP3. You should use the --ssl option if your mailserver all= ows it. >=20 > it looks like it doesn't allow ssl. Does it allow SSH connections to the mail machine, so you can tunnel fetchm= ail over ssh? Look at the ssh(1) manpage, specifically the '-L' port forwarding option. > > > Or maybe there is another software solution > > > alltogether? > >=20 > > Presumably you are running a mailserver on your box. You can ask the > > administrator to forward mail to your machine by making an MX record fo= r it. >=20 > not sure I understand you here. I run sendmail daemon just for sending ma= il > out of the box, and delivery of internal mail inside the box. Sendmail > doesn't listen for any incoming connections. > Could you please elaborate, or give a link. Your mail admin should set up the uni's MTA so that mail for you is sent to the MTA on your machine. You should set up your MTA and firewall so that yo= ur MTA will and can listen for incoming connections and process them. If the uni's mailserver holds on to mail and tries to deliver it at intervals, this is called batched SMTP or bSMTP, if it tries to deliver immediately, it is just SMTP. Note that for SMTP to work, your machine had best be on 24/7. The details of how this is done depend on the MTA that you and the universi= ty are using, and e.g. if address rewriting is used and if so, how. The most common scenario would be that when an e-mail for you arrives at the uni mailserver, it re-writes the address from <mexas@bristol.ac.uk> to <mexas@yourmachine.bristol.ac.uk>, where 'yourmachine' is the hostname of y= our machine on the university network. It would then forward the mail to the MTA on yourmachine.bristol.ac.uk. An opposite rewrite should be done when your MTA pushes stuff to the uni webserver. But whether your MTA should do that = or the uni's MTA is a question of policy. In short: for details, talk to a mail/network administrator. :-) Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAks5/DIACgkQEnfvsMMhpyU0agCeOpbotGboiWbisJ2kuWmi+m/E B+sAoKgsgQoWxkIayyTYAQ0hmpjTsWeF =r0Wk -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091229125514.GA27042>