[lug] fetchmail

John Hernandez John.Hernandez at noaa.gov
Thu Jul 5 10:01:13 MDT 2001 

Write a wrapper.  Have it decrypt a file (using your stenographically hidden key method) $HOME/.uninterestingname and place the results in $HOME/.fetchmailrc (with the proper permissions).  Then call fetchmail from your app, and when control returns unlink $HOME/.fetchmailrc.  Perhaps cron 'rm -f $HOME/.fetchmailrc' to run every 5 minutes, just in case your program bails midway.

"D. Stimits" wrote:
> 
> John Hernandez wrote:
> >
> > "D. Stimits" wrote:
> > >
> > > "D. Stimits" wrote:
> > > >
> > > > I'm going to install fetchmail to download but not delete messages, as a
> > > > general backup mechanism (since NS has hosed my mail twice in the last
> > > > month or so) on two machines. The rpm files I downloaded do not contain
> > > > an rc.d/init.d style script, and I am wondering how many people here
> > > > with RH start their fetchmail with such a script? If you do not want to
> > > > poll for mail, but only download when you specifically want to, do you
> > > > just run a command line for fetchmail to retrieve once? Do you run
> > > > fetchmail as root (which seems to imply fetchmail will change its euid
> > > > to the particular user it downloads as)?
> > > >
> > > > D. Stimits, stimits at idcomm.com
> > >
> > > Ouch! I just found something I really don't like about fetchmail. If you
> > > save the pass, it puts it in plain text in .fetchmailrc. Root is the
> > > only user that has any hope of hiding the pass, and I still dislike
> > > plain text passes since root can make mistakes or get root kit'd. Is
> > > there a better (more secure) email retrieval system out there?
> > >
> > > D. Stimits, stimits at idcomm.com
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > I can't think of a system that would offer any protection in the event that your machine gets root'ed.  At that point, your remote POP3 password is probably just one of many larger concerns.
> 
> All of which is true of course. I guess I would like to be able to
> encrypt the pass with something better than xor, but not necessarily
> strong encryption (script kiddies don't usually know how to decrypt
> without a script for the particular scenario). A one-way hash is not
> what I am thinking of. Then compile the decrypt pass into the app that
> reads it, but do it in a way similar to steganography, spread it out
> such that it is hard to find even with a hex editor. wvdial has a
> similar problem, but only root runs wvdial anyway (or at least only root
> has access to /etc/wvdial.conf, or else it argues about
> running...fetchmail does not argue). What would be interesting is a
> system that changes something each time root (or any user authorized to
> fetch) logs in...a mutating key (not easy to do).
> 
> D. Stimits, stimits at idcomm.com
> 
> >
> > In order to automate a procedure that requires a password, it will need to be stored somewhere.  Maybe you can set up a trust using PKI and ssh.  There again, a stolen key will compromise your system.  If security is a high enough priority, you can probably devise some method of POP'ing manually immediately before running NS.  But if convenience is high on your wish list, security will probably suffer a bit.
> >
> > --
> >
> >   - John Hernandez - Network Engineer - 303-497-6392 -
> >  |  National Oceanic and Atmospheric Administration   |
> >  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
> >   ----------------------------------------------------
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 

  - John Hernandez - Network Engineer - 303-497-6392 -
 |  National Oceanic and Atmospheric Administration   |
 |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
  ----------------------------------------------------

More information about the LUG mailing list