[Cialug] pop-before-smtp

David Champion dave at visionary.com
Thu Sep 29 10:35:30 CDT 2005 

I tried smtp_auth and couldn't get it to work. After spending way too 
much time on that, I got pop-before-smtp working in 5 minutes.

-dc

Jon Clemons wrote:
> With Postfix there isn't any real reason you can't just do SMTP Auth
> with TLS then you won't have that problem or paranoia:)
> That way it requires username and password to send mail
> and the communication is encrypted.
> 
> 
> 
> ----- Original Message ----- From: "Tom Pohl" <tom at tcpconsulting.com>
> To: "Central Iowa Linux Users Group" <cialug at cialug.org>
> Sent: Wednesday, September 28, 2005 8:26 PM
> Subject: Re: [Cialug] pop-before-smtp
> 
> 
>> I use it and agree, yes, you are being paranoid.  In my setup (qmail  
>> with vpopmail), the entry lasts for 60 minutes and yes, everyone from  
>> behind that IP can theoretically relay through your SMTP server.
>>
>> While you're being paranoid, you should use a VPN connection to  
>> another network so you're coming from a different IP and because you  
>> don't want the guy with the sniffer to know you're using POP3 without  
>> SSL :)
>>
>> -Tom
>>
>>
>> On Sep 28, 2005, at 6:30 PM, David Champion wrote:
>>
>>> Anyone here running pop-before-smtp?
>>>
>>> I think I have it all working correctly (the Perl version). Once I  
>>> check my email via pop (actually, imap in this case) it writes an  
>>> entry in the /etc/postfix/pop-before-smtp.db and then allows that  IP 
>>> address to relay email.
>>>
>>> The main problem I see with this once one person authenticates,  then 
>>> in theory anyone could relay mail. So if I'm at a Starbuck's,  and 
>>> send an email, a spammer could in theory start using me as a  relay. 
>>> I tested this and I can send email from a different PC  within my 
>>> firewall once I've authenticated from my PC - since they  both look 
>>> like they're coming from the same IP address from the  outside. I 
>>> know this is being paranoid... but it would be pretty  trivial to 
>>> figure out using a packet sniffer.
>>>
>>> The docs mention that the relaying is supposed to be open for only  a 
>>> "very short time". I don't see a mechanism for it to clear the  
>>> records out of the hash db... maybe there's a time stamp in there  
>>> too. When I did it, there was a minute or two between the  
>>> authentication, and the "bogus" relaying that got thru.
>>>
>>> -dc

More information about the Cialug mailing list