[ale] What's a safe imapd / pop3d?

Michael H. Warfield mhw at wittsend.com
Sun Jan 3 13:40:24 EST 1999 

Mike Kachline enscribed thusly:

> 	Guys,

> 	I would like to start running either imapd or pop3d again on one of my
> Linux machines. Could anyone recommend a (presently) secure and preferably well
> maintained daemon?

	Define secure?


	Access:

	Both imap and pop protocols are insecure in their basic form.  Both
have more secure variations, such as APOP authentication for pop.  By default,
both pop and imap send passwords in the clear.  APOP uses a password hash
instead.  Because the hash is a one-way function, you end up having to
maintain an apop password database in parallel with the regular password file.

	If you are using pop or imap clients which support SSL encryption,
you can use a package like edssl or stunnel to access popd or imapd.
Netscape, Internet Explorer, Outlook, and sundry other clients support either
pop over ssl or imap over ssl or both.  If you can use pop or imap over SSL
then do it.

	There is also a patch for fetchmail to use both imap or pop over
ssl.  That patch can be had from the North American Cryptographic Archives
at http://www.cryptography.org/cgi-bin/crypto.cgi/SSL where you will find
patch files and patched tar balls.  I did the patches and I haven't gotten
the latest version up there yet, so you may want to wait a week or so if
you want the patches to the latest fetchmail.  The latest patch I've uploaded
to the archives is for fetchmail 4.6.3.

	I've also seen where fetchmail supports pop and imap over ssh.  I've
never set this up and doubt it would be supported by any other pop or imap
enabled mail readers or clients.


	Implimentation:

	There are a couple of implimentations of imap and I currently use
the University of Washington varient.  I believe that's the one delivered
with RedHat.  There have been some security problems in the past, but all
have been addressed in a timely manner (couple of days or less from public
announcement of a vulnerability) so I would call it well supported.

	Make sure that you are using the latest version, in any case...

> 								Thanks,
> 									- Mike
> ============================================================================
> Michael Kachline CS, Georgia Institute of Technlology
> kachline at cc.gatech.edu
> http://brightstar.gt.ed.net/kachline
> ============================================================================

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

More information about the Ale mailing list