From 4bc6798150159e7bb5caf1435c7806a9b4e438dd Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Wed, 1 Oct 1997 13:43:23 +0000 Subject: Added G8. svn path=/trunk/; revision=1456 --- fetchmail-FAQ.html | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 3 deletions(-) (limited to 'fetchmail-FAQ.html') diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5c58d32f..e2d90ff8 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@
Back to Fetchmail Home Page To Site Map -$Date: 1997/10/01 04:00:27 $ +$Date: 1997/10/01 13:43:23 $

Frequently Asked Questions About Fetchmail

@@ -32,6 +32,7 @@ mail it to fetchmail's maintainer, Eric S. Raymond, at G5. Is there a mailing list for exchanging tips?
G6. So, what's this I hear about a fetchmail paper?
G7. What is the best server to use with fetchmail?
+G8. How can I avoid sending my password en clair?

Build-time problems:

@@ -275,6 +276,78 @@ href="http://www.imap.org"> The IMAP Connection; we like the freeware UW IMAP and Cyrus products. UW IMAP is the reference implementation of IMAP.

+

+

G8. How can I avoid sending my password en clair?

+ +Depending on what your mail server you are talking to, this ranges +from trivial to impossible. It may even be next to useless.

+ +Most people use fetchmail over phone wires, which are hard to tap. +Anybody with the skill and resources to do this could get into your +server mailbox with much less effort by subverting the server host. +So if your provider setup is modem wires going straight into a service +box, you probably don't need to worry.

+ +In general there is little point in trying to secure your fetchmail +transaction unless you trust the security of the server host you are +retrieving mail from. Your vulnerability is more likely to be an +insecure local network on the server end (e.g. somebody with a TCP/IP +packet sniffer intercepting Ethernet traffic between the modem +concentrator you dial in to and the mailserver host).

+ +Having realized this, you need to ask whether password encryption +alone will really address your security exposure. If you think you +might be snooped, it's better to use end-to-end encryption on your +whole mail stream so none of it can be read. One of the advantages of +fetchmail over conventional SMTP-push delivery is that you may be able +to arrange this by using ssh(1); see C4.

+ +If ssh/sshd isn't available, or you find it too complicated for you to +set up, password encryption will at least keep a malicious cracker +from deleting your mail, and require him to either tap your connection +continuously or crack root on the server in order to read it.

+ +You can deduce what encryptions your mail server has available by +by looking at the server greeting line (and, for IMAP, the +response to a CAPABILITY query). Do a fetchmail -v +to see these, or telnet direct to the server port (110 for POP3, 143 for +IMAP).

+ +The facility you are most likely to have available is APOP. This is a +POP3 feature supported by many servers. If you see something in the +greeting line that looks like an angle-bracket-enclosed Internet +address with a numeric left-hand part, that's an APOP challenge (it +will vary each time you log in). You can register a secret on the +host (using popauth(8) or some program like it). Specify +the secret as your password in your .fetchmailrc; it will be used to +encrypt the current challenge, and the encrypted form will be sent +back the the server for verification.

+ +Alternatively, you may have Kerberos available. This may require you +to set up some magic files in your home directory on your client +machine, but means you can omit specifying any password at all.

+ +Fetchmail supports two different Kerberos schemes. One is a +POP3 variant called KPOP; consult the documentation of your mail +server to see if you have it (one clue is the string "krb-IV" in the +greeting line on port 110). The other is an IMAP facility described +by RFC1731. You can tell if this one is present by looking for +AUTH=KERBEROS_V4 in the CAPABILITY response.

+ +If you are fetching mail from a CompuServe POP3 account, you can use +their RPA authentication (which works much like APOP). See T7 for details.

. + +Your POP3 server may have the RFC1938 OTP capability to use one-time +passwords. To check this, look for the string "otp-" in the greeting +line. If you see it, and your fetchmail was built with OPIE support +compiled in (see the distribution INSTALL file), fetchmail will +detect it also. When using OTP, you will specify a password but it +will not be sent en clair.

+ +Sadly, there is at present (October 1997) no OTP or APOP-like facility +generally available on IMAP servers.

+

B1. I get link failures when I try to build fetchmail.

@@ -609,7 +682,7 @@ preconnect "ssh -f -L 1234:mailhost:110 sshdhost sleep 20 /dev/null" You can work this trick with IMAP too, but the port number 110 in the above would need to become 143.

-Second, a recipe frm Charlie Brady <cbrady@ind.tansu.com.au>. +Second, a recipe from Charlie Brady <cbrady@ind.tansu.com.au>:

Charlie says: "The [previous] recipe certainly works, but the solution I post here is better in a few respects": @@ -1465,7 +1538,7 @@ will look right.

Back to Fetchmail Home Page To Site Map -$Date: 1997/10/01 04:00:27 $ +$Date: 1997/10/01 13:43:23 $

Eric S. Raymond <esr@snark.thyrsus.com>
-- cgit v1.2.3