qpopper with APOP

qpopper with APOP

The Post Office Protocol (POP) can be used to obtain your mail from a
remote server.  Mail can be delivered to a central location and everyone retrieves
their mail from that box.  This is fine over a trusted network (e.g. your home LAN).
  But over an untrusted network (e.g. the Internet), this is unsuiteable.  The
password is transferred in clear text. APOP elminates the clear text password issue by
using a shared secret.

I’ll show how I installed qpopper and then set up the APOP

You will need an APOP capable client.


Since I have the entire ports tree installed, all I needed
to do was:

make install

Then I added the following line to /etc/inetd.conf:

pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s

Then I restarted inetd:

killall -HUP inetd

The APOP database

I started reading man qpopauth.  Guessing, I did the
following steps:

# qpopauth -init
# qpopauth -user dan
Changing only APOP password for dan.
New password:
Retype new password:
# qpopauth -list ALL

The password I set above is what is known as the "shared secret".  
That’s what you set in your APOP client.

NOTE: if you add a user to the database, they must use APOP. They cannot use plain POP.
If they try to use plain POP, they will be told their password is incorrect.


Don’t forget to allow qpooper access via /etc/hosts.allow.
Here’s what I added to my file. Adjust for your domain.

qpopper : .example.org allow

This will allow anyone from example.org to use qpopper. They
will still have to authenticate as usual (user id, password, shared secret).

A word of caution

APOP doesn’t secure your mail messages.  All it does is secure your
password.  Your mail message will still be downloaded in clear text.  But that’s
not really a security issue. Chances are, your mail was delivered to your mail server in
clear text too.  Only you can decide if APOP is appropriate to your location.

stunnel (added on 31 March 2001)

Felipe Gustavo de Almeida wrote in to say that stunnel encrpts
all POP data.

Have a read of this from /usr/ports/security/stunnel/pkg-descr:

The stunnel program is designed to work as SSL encryption wrapper between remote
client and local (inetd-startable) or remote server. The concept is that having non-SSL
aware dae- mons running on your system you can easily setup them to communicate with
clients over secure SSL channel. stunnel can be used to add SSL functionality to commonly
used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs'

WWW: http://www.stunnel.org/

popautd (added on 4 April 2001)

Rob Hudson wrote in to say:

There is an excellent article about authenticating users for mail relaying when they
check their email via POP. Complete with perl scripts, etc.


Leave a Comment

Scroll to Top