POP3 Security Issues

reynhout@quesera.com reynhout@quesera.com
Fri, 27 Nov 1998 17:11:28 -0500 (EST)


mreiter@gwillness.osd.mil writes:
> 
> My users want to use POP3 over the internet to access their e-mail through
> our firewall.  There is a POP3 proxy built in to the firewall (not
> currently on), but I am leery of ANY access through the firewall over the
> internet.  Does anyone know of security issues surrounding this?

You're definitely right to be concerned.

Unless you use an authenticated POP protocol, passwords are
in cleartext which can be an issue because people don't always
take sensible precautions regarding reusing passwords.

Mail itself is also unencrypted, so internal mail (which might
have higher expectations of net.safety) would be passed over
the unwashed internet when your users read it.

There was an overflow in an old version of Qualcomm's popper
program that involved a remote root shell.  This has been
fixed in recent versions, but the potential always exists.

Perhaps a compromise would be to get a list (hopefully short)
of users who need this, and push their mail out to a DMZ
host running a POP3 server.  Use rsync over ssh to move the
mail files, and it would be low bandwidth, safe, and open up
no holes INTO the firewall.  (Fetchmail wouldn't help here
because it only works as a pull mechanism.)

The DMZ POP host would be a sacrificial lamb sort of thing.
Expect it to get extra attention from the curious masses, and
make sure the users understand the vulnerabilities to their
mail and to the POP server (and the corresponding service
level guarantees).

You also might want to check around for a site security policy,
because I can't imagine that this would be permitted if one
exists.  VPN (or equivalent infrastructure with a different
buzzword) is really the only way to feel comfortable about this.

Problems like this are perfect applications for SKIP.  Someday.

Good luck,
Andrew
reynhout@quesera.com