From 7f63089b34ea8508e202c3f0f530d2196ccc3e43 Mon Sep 17 00:00:00 2001 From: "Eric S. Raymond" Date: Sat, 4 Mar 2000 00:13:09 +0000 Subject: Encrypted imapd support. svn path=/trunk/; revision=2781 --- fetchmail-FAQ.html | 55 ++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 20 deletions(-) (limited to 'fetchmail-FAQ.html') diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html index 5288500f..182a6ccd 100644 --- a/fetchmail-FAQ.html +++ b/fetchmail-FAQ.html @@ -10,7 +10,7 @@
Back to Fetchmail Home Page To Site Map -$Date: 2000/03/02 08:32:04 $ +$Date: 2000/03/04 00:13:09 $

Frequently Asked Questions About Fetchmail

@@ -437,9 +437,10 @@ delivery is that you may be able to arrange this by using ssh(1); see K3.

Note that ssh is not a complete privacy solution either, as your mail -could have been snooped in transit to your POP server. For best -security, agree with your correspondents to use a tool such as GPG -(Gnu Privacy Guard) or PGP (Pretty Good Privacy).

+could have been snooped in transit to your POP server from wherever it +originated. For best security, agree with your correspondents to use +a tool such as GPG (Gnu Privacy Guard) or PGP (Pretty Good +Privacy).

If ssh/sshd isn't available, or you find it too complicated for you to set up, password encryption will at least keep a malicious cracker @@ -1753,32 +1754,46 @@ Now just use localhost:1234 to access your POP server.

Multi-User IMAP

This is the preferred method. It comes to us from Joerg Dorchain. -He writes:

+The basic idea is to set up a bidirectional encrypted socket connection:

-I have set up a special ssh-identity with no password and RSA-only -authentication, which executes /usr/sbin/imapd when authenticated (for -security reasons exeverything else, i.e. other commands, escape chars, -..., are disabled). The imapd I use sees that it is not running as -root and goes into preauthenticated mode. The only magic to to is have -fetchmail talk to stdin of of ssh-command. This goes via the plugin -keyword. In practise, this looks as follows: +

+fetchmail <--> ssh <---> sshd <--> imapd
+ \---local side--/       \-remote side-/
+
+ +Use ssh-keygen(1) to set up a special ssh identity with no password +and RSA-only authentication, which executes /usr/sbin/imapd when +authenticated. For security reasons all other commands should be +disabled. (There is some security exposure in using an identity +without a passphrase; it means anyone who can get access to your +account could use it to read your mail).

+ +Running ssh-keygen will generate two files. Have it create the +private key to ~/.ssh/identity-imap. Once you have generated the +corresponding public key, prepend this to the line of key data in it: 

-poll mail.dorchain.net options proto imap plugin fetchmail-imap-wrapper 
+command="/usr/sbin/imapd",no-port-forwarding,no-agent-forwarding
-The wrapper script looks like this:

+This identity data has to be appended to ~/.ssh/authorized_keys on the +remote machine, as usual for RSA authentication. Whenever your ssh +uses this identity, the remote side will run imapd. The imapd will +see that it is not running as root and go into preauthenticated +mode.

+ +On the client side, use the plugin keyword to make +fetchmail talk to the stdin of the remote ssh. Here's an examople: 

-#!/bin/sh
-exec ssh -i $HOME/.ssh/identity-imap $1 /usr/sbin/imapd
+poll mail.dorchain.net options proto imap plugin fetchmail-imap-wrapper
-This gives a bidirectional socket connection:

+The wrapper script should look like this:

-fetchmail <--> ssh <---> sshd <--> imapd
- \---local side--/        \---remote side/
+#!/bin/sh
+exec ssh -i $HOME/.ssh/identity-imap $1 /usr/sbin/imapd
@@ -2652,7 +2667,7 @@ terminate it.

Back to Fetchmail Home Page To Site Map -$Date: 2000/03/02 08:32:04 $ +$Date: 2000/03/04 00:13:09 $

Eric S. Raymond <esr@snark.thyrsus.com>
-- cgit v1.2.3