From conover@inow.com Sun Sep 26 20:57:47 1999
Date: 26 Sep 1999 20:48:15 -0000
From: John Conover <conover@inow.com>
To: svlug@svlug.org
Subject: Re: [svlug] POP3 over SSL

> I'm trying to solve the problem of POP3 (or IMAP) passwords being
> sent in the clear:
> 
>   Is there a fetchmail-type tool that runs over SSL?
> 
>   I'm aware that the IMAP RFC allows crypted passwords to be sent
> instead.  Which, if any, of the available IMAP daemons and
> fetchmail-type clients support this?

If both you and your isp have ssh/sshd running, (and they should,) put
the following in your ~/.fetchmailrc:

    defaults
            user yourpopname is yourlocalname
            norewrite

    poll localhost with protocol pop3 and port 11110:
            preconnect "ssh -x -C -f yourpopname@yourisp.com -L 11110:yourisp.com:110 sleep 5"
            password yourpoppasswd;

which runs the entire transaction, including email transfer, over an
ssh tunnel, ie., everything is encrypted, and the passwd sequence is
RSA encrypted.

Or, if your isp offers uucp, (and many do,) and you are concerned
about security, you can do uucp over tcp/ip by putting the following
in /usr/lib/uucp/taylor_config/port:

    port port3
    type pipe
    command /usr/whereever/ssh -a -x -q -l youruucpaddress@yourisp.com /usr/lib/uucp/uucio
    co
    reliable true
    protocol etyig

/usr/lib/uucp/taylor_config/call:

    yourisp youruucpaddress youruucppasswd

/usr/lib/uucp/taylor_config/config:

    hostname yourhostname
    sysfile /usr/lib/uucp/taylor_config/sys.yourisp

/usr/lib/uucp/taylor_config/sys.yourisp:

    system yourisp
    call-login *
    call-password *
    called-login youruucpname
    time any
    commands rmail
    myname yourname
    port port3
    chat "" \c

Uucp is a favorite of certain government agencies that are concerned
about security. The local machine will only contact one machine on the
Internet, for all email I/O to the Internet, and that machine will
never have access to the inet facilities on the local machine. All
transactions between the two machines are fully encrypted, and the
passwd exchanges are via RSA.

In addition, if you use qmail, (which is, also, a favorite of the same
government agencies,) you can shuffle user and domain names around
such that the local domain name is never known on the Internet-but the
mapping between the two is completely transparent to the user. Many
use smtp for a virtual domain for outgoing mail, connecting only to a
single known host on the Internet. Port 25 is usually the only
operational port, (inetd is disabled,) and is protected via tcpserver
in such cases. Note that the MX has to point at the isp's mail server.

        John

-- 

John Conover, 631 Lamont Ct., Campbell, CA., 95008, USA.
VOX 408.370.2688, FAX 408.379.9602, whois '!JC154'
conover@inow.com, http://www2.inow.com/~conover/john.html


--
echo "unsubscribe svlug" | mail majordomo@svlug.org
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ to unsubscribe
see http://www.svlug.org/mdstuff/lists.shtml for posting guidelines.