qpopper with APOPThe Post Office Protocol (POP) can be used to obtain your mail from a remote server. Mail can be delivered to a central location and everyone retrieves their mail from that box. This is fine over a trusted network (e.g. your home LAN). But over an untrusted network (e.g. the Internet), this is unsuiteable. The password is transferred in clear text. APOP elminates the clear text password issue by using a shared secret.
I’ll show how I installed qpopper and then set up the APOP database.
You will need an APOP capable client.
InstallSince I have the entire ports tree installed, all I needed to do was:
/usr/ports/mail/qpopper make install
Then I added the following line to /etc/inetd.conf:
pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s
Then I restarted inetd:
killall -HUP inetd
The APOP databaseI started reading man qpopauth. Guessing, I did the following steps:
# qpopauth -init
# qpopauth -user dan
Changing only APOP password for dan.
Retype new password:
# qpopauth -list ALL
dan: APOP SCRAM
The password I set above is what is known as the "shared secret". That’s what you set in your APOP client.
NOTE: if you add a user to the database, they must use APOP. They cannot use plain POP. If they try to use plain POP, they will be told their password is incorrect.
Don’t forget to allow qpooper access via /etc/hosts.allow. Here’s what I added to my file. Adjust for your domain.
qpopper : .example.org allow
This will allow anyone from example.org to use qpopper. They will still have to authenticate as usual (user id, password, shared secret).
A word of cautionAPOP doesn’t secure your mail messages. All it does is secure your password. Your mail message will still be downloaded in clear text. But that’s not really a security issue. Chances are, your mail was delivered to your mail server in clear text too. Only you can decide if APOP is appropriate to your location.
stunnel (added on 31 March 2001)Felipe Gustavo de Almeida wrote in to say that stunnel encrpts all POP data.
Have a read of this from /usr/ports/security/stunnel/pkg-descr:
The stunnel program is designed to work as SSL encryption wrapper between remote client and local (inetd-startable) or remote server. The concept is that having non-SSL aware dae- mons running on your system you can easily setup them to communicate with clients over secure SSL channel. stunnel can be used to add SSL functionality to commonly used inetd daemons like POP-2, POP-3 and IMAP servers without any changes in the programs' code.
popautd (added on 4 April 2001)Rob Hudson wrote in to say:
There is an excellent article about authenticating users for mail relaying when they check their email via POP. Complete with perl scripts, etc.