Linux-Sec.net Linux-Security.net Hardening-Tightening Security_Policy Hardening-HOWTO Linux Distros Distro Patches Kernel-Patches Dedicated Servers Firewalls DNS Servers Mail Servers Web Servers Turn-Off Daemons Tighten Inetd Services Top-10 Vulnerabilities Top-10 Vulnerabilities Top-20 Most Critical Vulnerability Top-10 Virus One Minute Audits OpenPorts Audit AntiVirus - AntiSpam Anti-Spam Anti-Virus spam.wav Wireless [In]Security Sniffers Security Tools SSH_SSL Firewalls MailServer FileSystem VPN Port Scan Detectors IDS Tools LogFile Analysis Ethernet Monitoring Server Monitoring Tracking & Forensics Hackers Tools Audit Tools Port Scanners Hacking Tools DDOS Tools Sniffer Tools Spoof Tools Exploits & Vulnerbilities Wireless Wireless [In]Security Misc Statistics Linux/BSD Distros Links,Articles,WatchDogs Security Mailing Lists/FAQs Liability Insurance

Linux-Sec.net/Mail Secure Mail Server Secure Pop3 Mail Servers MTA Secure-MTA Wireless-MTA WebMail Servers AntiVirus MIME Detach AntiSpam Sendmail Sendmail Install-HOWTO Example Sendmail Config FIles OpenRelay RBLs Filters RFCs Laws Mail Headers Mail Log Analyzers Monty-Python Songs Secure POP3 - Secure IMAP Linux-Sec.net/Sniffer Sniffing pop3/imap email connections Minimum POP Mail Security Harden the POP server as if it was a secure firewall Run Secure POP3s ( 995 ) and Secure IMAPs ( 993 ) daemons do NOT use insecure pop3 ( port 110 ) do NOT use insecure imap ( port 143 ) Restrict POP emails only from certain ip# ( /etc/hosts.allow ) All loginID should all be different loginID, emailID, pppID, vpnID, wirelessID .. All passwd should all be different preferably machine generated to guarantee randomness and a "good non-guessable" passwd do NOT let employee's use passwd at their (insecure) home PCs Let's assume a User named "John Smith" his email could be "jsmith@your-domain.com his login id at any PC should be different ( john ) different ID from the email address Assume that ALL wireless transmissions has already been sniffed by your competitors Never put your email/POP servers at your colo facility Locally encrypt all sensitive emails before sending/receiving Never send/read corporate emails outside of the corp firewalls do NOT use hotmail, excite, yahoo email accounts for corp business Netscape, Mozilla, Outlook, users.. First test regular pop3 ( 110 ) or regular imap ( 143 ) tests login and passwd and network all works fine Than, Turn on "SSL" options for secure POP3, secure IMAP RFCs and Port Numbers ietf.org RFC 821 Simple Mail Transfer Protocol ietf.org RFC 918 POST OFFICE PROTOCOL ietf.org RFC 937 POST OFFICE PROTOCOL - VERSION 2 ietf.org RFC 974 Mail Routing and the Domain System ietf.org RFC 1081 Post Office Protocol - Version 3 ietf.org RFC 1123 Simple Mail Transfer Protocol v2 ietf.org RFC 1869 SMTP Service Extensions ( esmtp ) ietf.org RFC 1939 Post Office Protocol - Version 3 (STD 53) ietf.org RFC 1957 Some Observations on Implementations of the Post Office Protocol (POP3) ietf.org RFC 2033 Local Mail Transfer Protocol ietf.org RFC 2192 IMAP ietf.org RFC 2195 IMAP/POP AUTHorize Extension for Simple Challenge/Response ietf.org RFC 2246 TLS Protocol version 1.0 ietf.org RFC 2384 POP URL Scheme ietf.org RFC 2449 POP3 Extension Mechanism ietf.org RFC 2487 SMTP Service Extension for Secure SMTP over TLS ietf.org RFC 2476 Message Submission ietf.org RFC 2554 SMTP Auth ietf.org RFC 2595 Using TLS with IMAP, POP3 and ACAP ietf.org RFC 2821 SMTP ietf.org RFC 3206 The SYS and AUTH POP Response Codes ietf.org RFC 4346 TLS - Transport Layer Security ietf.org RFC 4422 SASL - Simple Authentication and Security Layer ietf.org RFC 4954 SMTP Service Extension for Authentication ietf.org RFC 5034 The Post Office Protocol (POP3) Simple Authentication and Security Layer (SASL) Authentication Mechanism Port Number Service/Function 20 ftp-data 21 ftp 22 ssh 23 telnet 25 smtp 109 pop2 110 pop3 143 imap 443 Secure http ( https ) 465 Secure smtp ( smpts ) 587 Submission Agent 989 Secure ftp-data ( ftps-data ) 990 Secure ftp ( ftps-control ) 992 Secure telnet ( telnets ) 993 Secure imap ( imaps ) 995 Secure pop3 (pop3s) pop3s vs imaps wikipedia.org POP = Post Office Protocol wikipedia.org imap = Internet Message Access Protocol secure pop3 all your email is offloaded from your pop server onto your PC/laptop your emails will be spread out amongst all the various PC/laptop you used to view your email secure imap all your email remains on your imap server you can access all your past emails and new unread emails from any PC/laptop Additional SW Required for Secure POP3/IMAP OpenSSH.org OpenSSL.org STunnel.org xinetd.org Fix inetd.conf, hosts.allow/hosts.deny Linux-Sec.net/SSH SSH, SSL, SSLeay ... Linux-Sec.net/Harden hosts.allow/hosts.deny Secure POP3/IMAP Daemons Linux-Sec.net/Sniffer Sniffing pop3/imap email connections Insecure pop3/imap daemons can be wrapped w/ SSL, ssh, stunnel or SSLwrap to make it more secure LinuxDocs.org Securing POP3 Over SSL ( RH-7.x ) SharkySoft.com Securing POP3 Over SSL Stunnel + pop3/imap stunnel.org encrypting existing services OctalDream.com Wrapping POP/IMAP/SMTP stunnel SysDesign.ca pop3 + stunnel chimera.co.nz pop3 + stunnel dbmail.org pop3/imap + stunnel Common pop3 - imap daemons apop == dont use in.pop3d == dont use SSLpop and SSLimap fetchmail OpenWall.com popa3d eudora.com qpopper QualComm.com Qpopper4 ( pop3/imap ) Washington.edu ftp.cac.washington.edu/imap Washington.edu imap + ssl Courier-mta.org Courier-mta.org pop3s ubuntu.com courier qmailrocks.org rh qmailrocks.org slackware cyrusimap.web.cmu.edu cyrusimap.web.cmu.edu imape + cyrus - sendmail/postfix/exim4 faqs.org cyrus imap howto ubuntu.com cyrus delouw.ch postfix + cyrus Dovecot.org supports pop3, pop3s, imap, imaps dovecot.org Security + 1000eu offer wiki.dovecot.org Main Config wiki.dovecot.org Quick Config wiki.dovecot.org/Migration dovecot.org init.d/rc.dovecot script wiki.dovecot.org SSL vs TLS wiki.dovecot.org PAM Unbuntu.com dovecot server ubuntu.com dovecot ubuntu.com dovecot + ldap qmail.jms1.net dovecot vmadmin.co.uk pop3(s) imap(s) + iptables domas.org dovecot + postfix centos.org dovecot + postfix w/ tls FreeBSDDiary.com jth.net gnu-pop3d + postfix pop3vscan.sourceForge.net p3scan.sourceforge.net cpan.org pop3 + sslwrapper Qmail.org vpopmail - pwd-less virtual pop3 accts ?? VergeNet.net Perdition Secure POP3/IMAP4 Testing Secure POP3 Servers Linux-Sec.net/Sniffer Sniffing pop3/imap email connections imapwiki.org IMAP Server compliancy status LinuxMail.info testing pop3 with telnet vanemery.com testing pop3s with openssl /usr/bin/pop3test localhost:pop3 Tests that loginID and passwd is working properly type "quit" to exit the telnet test telnet localhost 110 -- regular POP3 should work telnet localhost 143 -- regular IMAP should work Telnet into a secure Server will fail due to wrong protocol telnet localhost 993 -- secure POP3s fails telnet localhost 995 -- secure IMAPs fails Test with openssl or ssl-capable clients openssl s_client -connect $HOST:$PORT stunnel -c -r 1.2.3.4:995 Use a SSL-capable client to do further Secure POP3/Secure IMAP testing netscape, mozilla, pine, mutt(?), MS outlook, ... Brute Force Testing POP3 passwd Hoobie.net Brutus SparkleWare.com Entry Hydra Configuring Secure POP3 Clients -- Linux Use Netscape/Mozilla email clients w/ SSL enabled Secure POP3 from remote POP servers tLDP.org SecurePOP + SSH ssh -C -f popserver -L 11110:popserver:110 sleep 5 ssh -q -L 4025:SMTP_MailServer:25 4110:POP3_Server:110 user@POP3_Server telnet localhost 11110 Qref.SourceForge.net POP3 Port Forwarding This is a secure way to make connections to SMTP/POP3 servers over the Internet ssh -q -L 4025:remote-server:25 4110:remote-server:110 username@remote-server PPPL.gov stuff Redhat.com SSH Port Forwarding Secure IMAP over ssh ssh -q -L 3000:localhost:143 Imap_Server.domain.com Redhat.com SSH + imapd Configuring Secure POP3 Clients -- MS Windoze Auth.gr in greek but look at the MS pics anyway Microsoft.com How to fix 110 vs pop3s issue

Linux-Consulting.com == Linux-Consulting.org

ISO9660.org

BSD-Consulting.org == UNIX-Consulting.org

Hardware Products/Solutions gigEnn.net NetworkNightmare.net Custom-Chassis.net Linux-1U.net ITX-Blades.net 1U-Raid5.org Mini-Box.net

Infrastructure Consulting WanSim.net IPv6-Cloud.org Linux-Backup.net Linux-Boot.net Linux-VOIP.net Linux-Video.net C-J-K.net

Security Consulting Linux-Security.net Encrypted-Email.net Packet-Craft.net Linux-Wireless.net

Legalese Contact Legal

Copyright © 2000	Linux-Consulting	All Rights Reserved.	Updated: Sun Aug 19 23:19:58 2012 PDT