http://www.Linux-Sec.net Hardening-Tightening Security_Policy Hardening-HOWTO Linux Distros Distro Patches Kernel-Patches Dedicated Servers Firewalls DNS Servers Mail Servers Web Servers Turn-Off Daemons Tighten Inetd Services Top-10 Vulnerabilities Top-7 Security Mistakes Top-10 Vulnerabilities Top-20 Most Critical Vulnerability Top-10 Virus Scans/Attacks Stats Top-10 Attacks Hacked Servers One Minute Audits OpenPorts Audit AntiVirus - AntiSpam Anti-Spam Anti-Virus spam.wav Wireless [In]Security Sniffers Security Tools SSH_SSL Firewalls MailServer FileSystem VPN Port Scan Detectors IDS Tools LogFile Analysis Ethernet Monitoring Server Monitoring Tracking & Forensics Hackers Tools Audit Tools Port Scanners Hacking Tools Sniffer Tools Exploits & Vulnerbilities Wireless Wireless [In]Security Misc Statistics Linux/BSD Distros Links,Articles,WatchDogs Security Mailing Lists/FAQs Liability Insurance 1U Rackmount Chassis Custom-Chassis.com Linux-1U.net 1U-ITX.net ITX-Blades.net Small PC cases Mini-Box.net Wrap-Box.net Wrap-OS.net Wan-Sim.net Linux-Consulting.com Linux-CAE.net Linux-Sec.net Linux-Boot.net Linux-Backup.net Linux-Wireless.org Linux-Office.net Linux-Video.net Linux-Jobs.net Linux-Diff.net 1U-Raid5.net Spam Reporting Free Linux CDs ISO9660.org Distro-CD.org Patch-CD.org Contact Linux is a registered trademark of Linus Torvalds More Linux Legalese

Linux-Sec.net/Mail Secure Mail Server Secure Pop3 Mail Servers MTA Secure-MTA Wireless-MTA WebMail Servers AntiVirus MIME Detach AntiSpam Sendmail Sendmail Install-HOWTO Example Sendmail Config FIles OpenRelay RBLs Filters RFCs Laws Mail Headers Mail Log Analyzers Monty-Python Songs Secure POP3 - Secure IMAP Minimum POP Mail Security Harden the POP server as if it was a secure firewall Run Secure POP3 and Secure IMAP daemons Restrict POP emails only from certain ip# ( /etc/hosts.allow ) All loginID should all be different loginID, emailID, pppID, vpnID, wirelessID .. All passwd should all be different preferably machine generated to guarantee randomness and a "good non-guessable" passwd do NOT let employee's use passwd at their (insecure) home PCs Let's assume a User named "John Smith" his email could be "jsmith@your-domain.com his login id at any PC should be different ( john ) different ID from the email address Assume that ALL wireless transmissions has already been sniffed by your competitors Never put your email/POP servers at your colo facility Locally encrypt all sensitive emails before sending/receiving Never send/read corporate emails outside of the corp firewalls do NOT use hotmail, excite, yahoo email accounts for corp business Netscape, Mozilla, Outlook, users.. First test regular pop3 ( 110 ) or regular imap ( 143 ) tests login and passwd and network all works fine Than, Turn on "SSL" options for secure POP3, secure IMAP Port Numbers Port Number Service/Function 20 ftp-data 21 ftp 22 ssh 23 telnet 25 smtp 110 pop3 143 imap 443 Secure http ( https ) 465 Secure smtp ( smpts ) 989 Secure ftp-data ( ftps-data ) 990 Secure ftp ( ftps-control ) 992 Secure telnet ( telnets ) 993 Secure imap ( imaps ) 995 Secure pop3 (pop3s) Additional SW Required for Secure POP3/IMAP OpenSSH.org OpenSSL.org STunnel.org xinetd.org Fix inetd.conf, hosts.allow/hosts.deny Linux-Sec.net/SSH SSH, SSL, SSLeay ... Linux-Sec.net/Harden hosts.allow/hosts.deny Secure POP3 - Secure IMAP HOWTO LinuxDocs.org Securing POP3 Over SSL ( RH-7.x ) SharkySoft.com Securing POP3 over SSL ( RH-7.x ) Ibiblio.org Secure-POP-SSH SecuriTeam.com Who Guards Your Front Door ( Securing POP3 ) Catastrophe.net Building a Secure POP3 (SPOP3) Server UPenn.edu Installing Kerberos Authenticated POP and IMAP Service Secure POP3/IMAP Daemons OpenWall.com popa3d Uva.nl Secure popa3d QPopper.org qpopper4 Eudora.com Qpopper4 ( pop3/imap ) QualComm.com Qpopper4 ( pop3/imap ) Qmail.org vpopmail - pwd-less virtual pop3 accts ?? VergeNet.net Secure POP3/IMAP4 SSLpop and SSLimap Debian.org courier-pop-ssl Debian.org courier-imap-ssl Debian.org ipopd-ssl Debian.org uw-imapd-ssl ftp.Debian.org fetchmail-ssl Insecure POP3/IMAP Daemons Insecure daemons can be wrapped w/ SSL or SSLwrap to make it secure apop == dont use in.pop3d == dont use Washington.edu IMAP Testing Secure POP3 Servers Tests that loginID and passwd is working properly type "quit" to exit the telnet test telnet localhost 110 -- regular POP3 should work telnet localhost 143 -- regular IMAP should work Telnet into a secure Server will fail due to wrong protocol telnet localhost 993 -- secure POP3s fails telnet localhost 995 -- secure IMAPs fails openssl s_client -connect $HOST:$PORT Use a SSL-capable client to do further Secure POP3/Secure IMAP testing netscape, mozilla, pine, mutt(?), MS outlook, ... Brute Force Testing POP3 passwd Hoobie.net Brutus SparkleWare.com Entry Hydra Configuring Secure POP3 Clients -- Linux Use Netscape/Mozilla email clients w/ SSL enabled Secure POP3 from remote POP servers tLDP.org SecurePOP + SSH ssh -C -f popserver -L 11110:popserver:110 sleep 5 ssh -q -L 4025:SMTP_MailServer:25 4110:POP3_Server:110 user@POP3_Server telnet localhost 11110 Qref.SourceForge.net POP3 Port Forwarding This is a secure way to make connections to SMTP/POP3 servers over the Internet ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server PPPL.gov stuff Redhat.com SSH Port Forwarding Secure IMAP over ssh ssh -q -L 3000:localhost:143 Imap_Server.domain.com Redhat.com SSH + imapd Configuring Secure POP3 Clients -- MS Windoze Auth.gr in greek but look at the MS pics anyway Microsoft.com How to fix 110 vs pop3s issue

Copyright © 2000	Linux-Consulting	All Rights Reserved.	Updated: Sun Nov 21 23:52:28 2004 PDT