[Cialug] pop-before-smtp

Jon Clemons clemdog at marshallnet.com
Wed Sep 28 20:38:19 CDT 2005 

With Postfix there isn't any real reason you can't just do SMTP Auth
with TLS then you won't have that problem or paranoia:)
That way it requires username and password to send mail
and the communication is encrypted.



----- Original Message ----- 
From: "Tom Pohl" <tom at tcpconsulting.com>
To: "Central Iowa Linux Users Group" <cialug at cialug.org>
Sent: Wednesday, September 28, 2005 8:26 PM
Subject: Re: [Cialug] pop-before-smtp


>I use it and agree, yes, you are being paranoid.  In my setup (qmail  
> with vpopmail), the entry lasts for 60 minutes and yes, everyone from  
> behind that IP can theoretically relay through your SMTP server.
> 
> While you're being paranoid, you should use a VPN connection to  
> another network so you're coming from a different IP and because you  
> don't want the guy with the sniffer to know you're using POP3 without  
> SSL :)
> 
> -Tom
> 
> 
> On Sep 28, 2005, at 6:30 PM, David Champion wrote:
> 
>> Anyone here running pop-before-smtp?
>>
>> I think I have it all working correctly (the Perl version). Once I  
>> check my email via pop (actually, imap in this case) it writes an  
>> entry in the /etc/postfix/pop-before-smtp.db and then allows that  
>> IP address to relay email.
>>
>> The main problem I see with this once one person authenticates,  
>> then in theory anyone could relay mail. So if I'm at a Starbuck's,  
>> and send an email, a spammer could in theory start using me as a  
>> relay. I tested this and I can send email from a different PC  
>> within my firewall once I've authenticated from my PC - since they  
>> both look like they're coming from the same IP address from the  
>> outside. I know this is being paranoid... but it would be pretty  
>> trivial to figure out using a packet sniffer.
>>
>> The docs mention that the relaying is supposed to be open for only  
>> a "very short time". I don't see a mechanism for it to clear the  
>> records out of the hash db... maybe there's a time stamp in there  
>> too. When I did it, there was a minute or two between the  
>> authentication, and the "bogus" relaying that got thru.
>>
>> -dc
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>>
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

More information about the Cialug mailing list