diff options
-rw-r--r-- | fetchmail-FAQ.html | 55 |
1 files changed, 35 insertions, 20 deletions
diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5288500f..182a6ccd 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@ <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2000/03/02 08:32:04 $ +<td width="30%" align=right>$Date: 2000/03/04 00:13:09 $ </table> <HR> <H1>Frequently Asked Questions About Fetchmail</H1> @@ -437,9 +437,10 @@ delivery is that you may be able to arrange this by using ssh(1); see <a href="#K3">K3</a>.<P> Note that ssh is not a complete privacy solution either, as your mail -could have been snooped in transit to your POP server. For best -security, agree with your correspondents to use a tool such as GPG -(Gnu Privacy Guard) or PGP (Pretty Good Privacy).<P> +could have been snooped in transit to your POP server from wherever it +originated. For best security, agree with your correspondents to use +a tool such as GPG (Gnu Privacy Guard) or PGP (Pretty Good +Privacy).<P> If ssh/sshd isn't available, or you find it too complicated for you to set up, password encryption will at least keep a malicious cracker @@ -1753,32 +1754,46 @@ Now just use localhost:1234 to access your POP server.<P> <h3>Multi-User IMAP</h3> This is the preferred method. It comes to us from Joerg Dorchain. -He writes:<p> +The basic idea is to set up a bidirectional encrypted socket connection:<p> -I have set up a special ssh-identity with no password and RSA-only -authentication, which executes /usr/sbin/imapd when authenticated (for -security reasons exeverything else, i.e. other commands, escape chars, -..., are disabled). The imapd I use sees that it is not running as -root and goes into preauthenticated mode. The only magic to to is have -fetchmail talk to stdin of of ssh-command. This goes via the plugin -keyword. In practise, this looks as follows: +<pre> +fetchmail <--> ssh <---> sshd <--> imapd + \---local side--/ \-remote side-/ +</pre> + +Use ssh-keygen(1) to set up a special ssh identity with no password +and RSA-only authentication, which executes /usr/sbin/imapd when +authenticated. For security reasons all other commands should be +disabled. (There is some security exposure in using an identity +without a passphrase; it means anyone who can get access to your +account could use it to read your mail).<p> + +Running ssh-keygen will generate two files. Have it create the +private key to ~/.ssh/identity-imap. Once you have generated the +corresponding public key, prepend this to the line of key data in it: <pre> -poll mail.dorchain.net options proto imap plugin fetchmail-imap-wrapper +command="/usr/sbin/imapd",no-port-forwarding,no-agent-forwarding </pre> -The wrapper script looks like this:<p> +This identity data has to be appended to ~/.ssh/authorized_keys on the +remote machine, as usual for RSA authentication. Whenever your ssh +uses this identity, the remote side will run imapd. The imapd will +see that it is not running as root and go into preauthenticated +mode.<p> + +On the client side, use the <code>plugin</code> keyword to make +fetchmail talk to the stdin of the remote ssh. Here's an examople: <pre> -#!/bin/sh -exec ssh -i $HOME/.ssh/identity-imap $1 /usr/sbin/imapd +poll mail.dorchain.net options proto imap plugin fetchmail-imap-wrapper </pre> -This gives a bidirectional socket connection:<p> +The wrapper script should look like this:<p> <pre> -fetchmail <--> ssh <---> sshd <--> imapd - \---local side--/ \---remote side/ +#!/bin/sh +exec ssh -i $HOME/.ssh/identity-imap $1 /usr/sbin/imapd </pre> <hr> @@ -2652,7 +2667,7 @@ terminate it.<p> <table width="100%" cellpadding=0><tr> <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a> <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a> -<td width="30%" align=right>$Date: 2000/03/02 08:32:04 $ +<td width="30%" align=right>$Date: 2000/03/04 00:13:09 $ </table> <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com"><esr@snark.thyrsus.com></A></ADDRESS> |