diff options
author | Eric S. Raymond <esr@thyrsus.com> | 1997-10-01 13:43:23 +0000 |
---|---|---|
committer | Eric S. Raymond <esr@thyrsus.com> | 1997-10-01 13:43:23 +0000 |
commit | 4bc6798150159e7bb5caf1435c7806a9b4e438dd (patch) | |
tree | fd1eaa5fba7688381741bae4ed975a04bcf0e453 | |
parent | 6d92028c14b2e3d467432d629b99a8d40ee4fb8f (diff) | |
download | fetchmail-4bc6798150159e7bb5caf1435c7806a9b4e438dd.tar.gz fetchmail-4bc6798150159e7bb5caf1435c7806a9b4e438dd.tar.bz2 fetchmail-4bc6798150159e7bb5caf1435c7806a9b4e438dd.zip |
Added G8.
svn path=/trunk/; revision=1456
-rw-r--r-- | fetchmail-FAQ.html | 79 |
1 files changed, 76 insertions, 3 deletions
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5c58d32f..e2d90ff8 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1997/10/01 04:00:27 $ +<td width="30%" align=right>$Date: 1997/10/01 13:43:23 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -32,6 +32,7 @@ mail it to fetchmail's maintainer, Eric S. Raymond, at <a href="#G5">G5. Is there a mailing list for exchanging tips?</a><br> <a href="#G6">G6. So, what's this I hear about a fetchmail paper?</a><br> <a href="#G7">G7. What is the best server to use with fetchmail?</a><br> +<a href="#G8">G8. How can I avoid sending my password en clair?</a><br> <h1>Build-time problems:</h1> @@ -276,6 +277,78 @@ freeware UW IMAP and Cyrus products. UW IMAP is the reference implementation of IMAP.<P> <hr> +<h2><a name="G8">G8. How can I avoid sending my password en clair?</a></h2> + +Depending on what your mail server you are talking to, this ranges +from trivial to impossible. It may even be next to useless.<P> + +Most people use fetchmail over phone wires, which are hard to tap. +Anybody with the skill and resources to do this could get into your +server mailbox with much less effort by subverting the server host. +So if your provider setup is modem wires going straight into a service +box, you probably don't need to worry.<P> + +In general there is little point in trying to secure your fetchmail +transaction unless you trust the security of the server host you are +retrieving mail from. Your vulnerability is more likely to be an +insecure local network on the server end (e.g. somebody with a TCP/IP +packet sniffer intercepting Ethernet traffic between the modem +concentrator you dial in to and the mailserver host).<P> + +Having realized this, you need to ask whether password encryption +alone will really address your security exposure. If you think you +might be snooped, it's better to use end-to-end encryption on your +whole mail stream so none of it can be read. One of the advantages of +fetchmail over conventional SMTP-push delivery is that you may be able +to arrange this by using ssh(1); see <a href="#C4">C4</a>.<P> + +If ssh/sshd isn't available, or you find it too complicated for you to +set up, password encryption will at least keep a malicious cracker +from deleting your mail, and require him to either tap your connection +continuously or crack root on the server in order to read it.<P> + +You can deduce what encryptions your mail server has available by +by looking at the server greeting line (and, for IMAP, the +response to a CAPABILITY query). Do a <code>fetchmail -v</code> +to see these, or telnet direct to the server port (110 for POP3, 143 for +IMAP).<P> + +The facility you are most likely to have available is APOP. This is a +POP3 feature supported by many servers. If you see something in the +greeting line that looks like an angle-bracket-enclosed Internet +address with a numeric left-hand part, that's an APOP challenge (it +will vary each time you log in). You can register a secret on the +host (using <code>popauth(8)</code> or some program like it). Specify +the secret as your password in your .fetchmailrc; it will be used to +encrypt the current challenge, and the encrypted form will be sent +back the the server for verification.<P> + +Alternatively, you may have Kerberos available. This may require you +to set up some magic files in your home directory on your client +machine, but means you can omit specifying any password at all.<P> + +Fetchmail supports two different Kerberos schemes. One is a +POP3 variant called KPOP; consult the documentation of your mail +server to see if you have it (one clue is the string "krb-IV" in the +greeting line on port 110). The other is an IMAP facility described +by RFC1731. You can tell if this one is present by looking for +AUTH=KERBEROS_V4 in the CAPABILITY response.<P> + +If you are fetching mail from a CompuServe POP3 account, you can use +their RPA authentication (which works much like APOP). See <a +href="#T7">T7</a> for details.<P>. + +Your POP3 server may have the RFC1938 OTP capability to use one-time +passwords. To check this, look for the string "otp-" in the greeting +line. If you see it, and your fetchmail was built with OPIE support +compiled in (see the distribution INSTALL file), fetchmail will +detect it also. When using OTP, you will specify a password but it +will not be sent en clair.<P> + +Sadly, there is at present (October 1997) no OTP or APOP-like facility +generally available on IMAP servers.<P> + +<hr> <h2><a name="B1">B1. I get link failures when I try to build fetchmail.</a></h2> If you get errors resembling these<P> @@ -609,7 +682,7 @@ preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null" You can work this trick with IMAP too, but the port number 110 in the above would need to become 143.<p> -Second, a recipe frm Charlie Brady <cbrady@ind.tansu.com.au>. +Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>:<p> Charlie says: "The [previous] recipe certainly works, but the solution I post here is better in a few respects": @@ -1465,7 +1538,7 @@ will look right.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 1997/10/01 04:00:27 $ +<td width="30%" align=right>$Date: 1997/10/01 13:43:23 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> |