[lug] Securing Fetchmail

David dajo at frii.com
Tue Aug 7 11:35:15 MDT 2001 

I am trying to secure my machine; but I want to minimise the amount of
reading and studying I have to do.

Aside: This kind of approach (to Linux) has been discussed recently.
       My excuse is that I have lots of work to do *using* Linux;
       consequently my time for *configuring* Linux is limited.  Also,
       of course, there will be others reading this, and any replies,
       who will benefit as much as I.

So, I have an elementary firewall (courtesy RedHat) and I think that I
understand how ipchains work.  But I know that there are gotchas, so
how secure is it? 

       # Firewall configuration written by lokkit
       # Manual customization of this file is not recommended.
       # Note: ifup-post will punch the current nameservers through the
       #       firewall; such entries will *not* be listed here.
       :input ACCEPT
       :forward ACCEPT
       :output ACCEPT
       -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
       -A input -s 216.17.128.1 53 -d 0/0 -p udp -j ACCEPT
       -A input -s 216.17.128.2 53 -d 0/0 -p udp -j ACCEPT
       -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
       -A input -s 0/0 -d 0/0 -p udp -j REJECT

I use telephone dialup to connect to my ISP, and I assume that that is
reasonably secure, up until the moment when I am assigned an address.
Then, I assume, my firewall gives me whatever protection it does
against penetration of my machine via that address (hence the question
above).

Next, I use fetchmail with a .fetchmailrc file.  So my ISP password is
launched in the clear for the world to see.  So I started to read the
man page for fetchmail.  Understanding all that is there, including
understanding all the other things referred to will take me the rest
of the week, at least.  I cannot do that, and I know that I need only
a small part of what is there.  So I am doing this posting instead,
hoping to bypass the eye-glazing stuff.

I thought that the -ssl option would do it for me, only to read that
Raymond et al caution against it (!); for what is actually a very good
reason: it does not provide protection against active attack.  Ssh
tunnelling (whatever that is) is recommended instead.  Now I have
started to use ssh (another "how secure is that?"), so it is working
on my machine.  But the only information on how to do ssh tunnelling
in the fetchmail man page is this:

       Here's  an  example configuration using ssh and the plugin
       option.  The queries are made directly on  the  stdin  and
       stdout  of  imapd  via ssh.  Note that in this setup, IMAP
       authentication can be skipped.

       poll mailhost.net with proto imap:
               plugin "ssh %h /usr/sbin/imapd" auth ssh;
                       user esr is esr here

Well that looks pretty easy to type.  But the second line is a little
tricky.  "Plugin" itself is ok, also the hostname parameter, but what
is /usr/sbin/imapd?  I do not have one of those.

Also, why can IMAP (what is IMAP?) authentication be skipped?  Is it
because ssh authentication is being used?  

Perhaps the most important question is: What is going to happen if I
use this command?  I.e., what is not there that I am assumed to know?

Actually, I think that I am getting the idea.  The tunnel is just the
ssh connection and then fetchmail uses that connection - right?  So I
am back to IMAP again (no man page for imap, so is this something that
I need to rpm-in?)


Informative replies will be highly appreciated.  Security is an
important topic, after all.  And it is true that a good number of
people will benefit from such postings.

Thanks everyone.

dajo

P.S.  When I have got this going my next question is going to be "How
do I secure my web browser - and, do I need to?" 8-)

More information about the LUG mailing list