From 3c06af14c1e40f1d859b10111d62a405c4745559 Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Sat, 25 Jul 1998 17:15:16 +0000 Subject: Improved entry on GSSAPI. svn path=/trunk/; revision=2024 --- fetchmail-FAQ.html | 238 ++++++++++++++++++++++++++++++----------------------- 1 file changed, 136 insertions(+), 102 deletions(-) (limited to 'fetchmail-FAQ.html') diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index ae681705..9787d227 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@
Back to Fetchmail Home Page To Site Map -$Date: 1998/07/20 18:51:59 $ +$Date: 1998/07/25 17:15:16 $

Frequently Asked Questions About Fetchmail

@@ -55,8 +55,7 @@ IP address?
C1. Why do I need a .fetchmailrc when running as root on my own machine?
C2. How can I arrange for a fetchmail daemon to get killed when I log out?
C3. How do I know what interface and address to use with --interface?
-C4. How can I get fetchmail to work with ssh?
-C5. How can I set up support for sendmail's anti-spam 571 response?
+C4. How can I set up support for sendmail's anti-spam 571 response?

How to make fetchmail play nice with other software:

@@ -72,6 +71,8 @@ IP address?
T10. How can I use fetchmail with HP OpenMail?
T11. How can I use fetchmail with SOCKS?
T12. How can I use fetchmail with IPv6 and IPsec?
+T13. How can I get fetchmail to work with ssh?
+T14. What do I have to do to use the IMAP-GSS protocol?

Runtime fatal errors:

@@ -363,7 +364,7 @@ alone will really address your security exposure. If you think you might be snooped, it's better to use end-to-end encryption on your whole mail stream so none of it can be read. One of the advantages of fetchmail over conventional SMTP-push delivery is that you may be able -to arrange this by using ssh(1); see C4.

+to arrange this by using ssh(1); see T13.

If ssh/sshd isn't available, or you find it too complicated for you to set up, password encryption will at least keep a malicious cracker @@ -830,103 +831,7 @@ would work. To range over any value of the last two octets

-

C4. How can I get fetchmail to work with ssh?

- -We have two recipes for this. The first is a little easier to set up, -but only supports one user at a time.

- -First, a lightly edited version of a recipe from Masafumi NAKANE:

- -1. You must have ssh (the ssh client) on the local host and sshd (ssh -server) on the remote mail server. And you have to configure ssh so -you can login to the sshd server host without a password. (Refer to ssh -man page for several authentication methods.)

- -2. Add something like following to your .fetchmailrc file:

- -

-poll mailhost port 1234 via localhost with proto pop3:
-        preconnect "ssh -f -L 1234:mailhost:110 mailhost sleep 20 </dev/null >/dev/null";
-
- -(Note that 1234 can be an arbitrary port number. Privileged ports can -be specified only by root.) The effect of this ssh command is to -forward connections made to localhost port 1234 (in above example) to -mailhost's 110.

- -This configuration will enable secure mail transfer. All the -conversation between fetchmail and remote pop server will be -encrypted.

- -If sshd is not running on the remote mail server, you can specify -intermediate host running it. If you do this, however, communication -between the machine running sshd and the POP server will not be encrypted. -And the preconnect line would be like this:

- -

-preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null"
-
- -You can work this trick with IMAP too, but the port number 110 in the -above would need to become 143.

- -Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>:

- -Charlie says: "The [previous] recipe certainly works, but -the solution I post here is better in a few respects": - -

- -Here are the steps: - -
    -
  1. -Make sure that the "socket" program is installed on the server -machine. Presently it lives at -ftp://sunsite.unc.edu/pub/linux/system/network/misc/socket-1.1.tar.gz, -but watch out for a change in version number.

    -

  2. -Set up an unprivileged account on your system with a .ssh directory -containing an SSH identity file "identity" with no pass phrase, -"identity.pub" and "known_hosts" containing the host key of your -mailhost. Let's call this account "noddy". -
  3. -On mailhost, set up no-password access for noddy@yourhost. Add to your -SSH authorised_keys file: - -
    -command="socket localhost 110",no-port-forwarding 1024 ......
-
    - -where "1024 ......" is the content of noddy's identity.pub file. -
  4. -Create a script /usr/local/bin/ssh.fm and make it executable: - -
    -#! /bin/sh
-exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
-
    -
  5. -Add an entry in inetd.conf for whatever port you choose to use - say: - -
    -1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
-
    -
  6. -Send a HUP signal to your inetd. -
- -Now just use localhost:1234 to access your POP server.

- -

-

C5. How can I set up support for sendmail's anti-spam 571 response?

+

C4. How can I set up support for sendmail's anti-spam 571 response?

Rachel Polanskis writes:

@@ -1365,6 +1270,135 @@ http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html http://www.inner.net/ipv6 (via IPv4) +

+

T13. How can I get fetchmail to work with ssh?

+ +We have two recipes for this. The first is a little easier to set up, +but only supports one user at a time.

+ +First, a lightly edited version of a recipe from Masafumi NAKANE:

+ +1. You must have ssh (the ssh client) on the local host and sshd (ssh +server) on the remote mail server. And you have to configure ssh so +you can login to the sshd server host without a password. (Refer to ssh +man page for several authentication methods.)

+ +2. Add something like following to your .fetchmailrc file:

+ +

+poll mailhost port 1234 via localhost with proto pop3:
+        preconnect "ssh -f -L 1234:mailhost:110 mailhost sleep 20 </dev/null >/dev/null";
+
+ +(Note that 1234 can be an arbitrary port number. Privileged ports can +be specified only by root.) The effect of this ssh command is to +forward connections made to localhost port 1234 (in above example) to +mailhost's 110.

+ +This configuration will enable secure mail transfer. All the +conversation between fetchmail and remote pop server will be +encrypted.

+ +If sshd is not running on the remote mail server, you can specify +intermediate host running it. If you do this, however, communication +between the machine running sshd and the POP server will not be encrypted. +And the preconnect line would be like this:

+ +

+preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 </dev/null >/dev/null"
+
+ +You can work this trick with IMAP too, but the port number 110 in the +above would need to become 143.

+ +Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>:

+ +Charlie says: "The [previous] recipe certainly works, but +the solution I post here is better in a few respects": + +

+ +Here are the steps: + +
    +
  1. +Make sure that the "socket" program is installed on the server +machine. Presently it lives at +ftp://sunsite.unc.edu/pub/linux/system/network/misc/socket-1.1.tar.gz, +but watch out for a change in version number.

    +

  2. +Set up an unprivileged account on your system with a .ssh directory +containing an SSH identity file "identity" with no pass phrase, +"identity.pub" and "known_hosts" containing the host key of your +mailhost. Let's call this account "noddy". +
  3. +On mailhost, set up no-password access for noddy@yourhost. Add to your +SSH authorised_keys file: + +
    +command="socket localhost 110",no-port-forwarding 1024 ......
+
    + +where "1024 ......" is the content of noddy's identity.pub file. +
  4. +Create a script /usr/local/bin/ssh.fm and make it executable: + +
    +#! /bin/sh
+exec ssh -q -C -l your.login.id -e none mailhost socket localhost 110
+
    +
  5. +Add an entry in inetd.conf for whatever port you choose to use - say: + +
    +1234 stream tcp nowait noddy /usr/sbin/tcpd /usr/local/bin/ssh.fm
+
    +
  6. +Send a HUP signal to your inetd. +
+ +Now just use localhost:1234 to access your POP server.

+ +

+

T14. What do I have to do to use the IMAP-GSS protocol?

+ +Fetchmail can use RFC1731 GSSAPI authorization to safely identify you +to your IMAP server, as long as you can share Kerberos V credentials +with your mail host and you have a GSSAPI-capable IMAP server. +UW-IMAP (available via FTP at ftp.cac.washington.edu) +is the only one I'm aware of and the one I recommend anyway for other +reasons. You'll need version 4.1-FINAL or greater though, and it has +to have GSS support compiled in.

+ +Neither UW-IMAP nor fetchmail compile in support for GSS by default, since +it requires libraries from the Kerberos V distribution (available via FTP at +athena-dist.mit.edu +but mind the export restrictions). If you have these, compiling in GSS support +is simple: add a 

--with-gssapi=[/path/to/krb5/root]
option to +configure. For instance, I have all of my kerberos V libraries installed under +/usr/krb5 so I run 
configure --with-gssapi=/usr/krb5
.

+ +Setting up Kerberos V authentication is beyond the scope of this FAQ, but +you'll need to add a credential for imap/[mailhost] to the keytab of the mail +server (IMAP doesn't just use the host key). Then you'll need to have your +credentials ready on your machine (cf. kinit).

+ +After that things are very simple. Set your protocol to imap-gss in your +.fetchmailrc, and omit the password, since imap-gss doesn't need one. You +can specify a username if you want, but this is only useful if your mailbox +belongs to a username different from your kerberos principal.

+ +Now you don't have to worry about your password appearing in cleartext in +your .fetchmailrc, or across the network.

+

R1. Fetchmail's initial gethostbyname call fails on my host.

@@ -2052,7 +2086,7 @@ Re-ordering messages is a user-agent function, anyway.

Back to Fetchmail Home Page To Site Map -$Date: 1998/07/20 18:51:59 $ +$Date: 1998/07/25 17:15:16 $

Eric S. Raymond <esr@snark.thyrsus.com>
-- cgit v1.2.3