[lug] fetchmail

John Hernandez John.Hernandez at noaa.gov
Tue Jul 3 09:47:53 MDT 2001


"D. Stimits" wrote:
> 
> "D. Stimits" wrote:
> >
> > I'm going to install fetchmail to download but not delete messages, as a
> > general backup mechanism (since NS has hosed my mail twice in the last
> > month or so) on two machines. The rpm files I downloaded do not contain
> > an rc.d/init.d style script, and I am wondering how many people here
> > with RH start their fetchmail with such a script? If you do not want to
> > poll for mail, but only download when you specifically want to, do you
> > just run a command line for fetchmail to retrieve once? Do you run
> > fetchmail as root (which seems to imply fetchmail will change its euid
> > to the particular user it downloads as)?
> >
> > D. Stimits, stimits at idcomm.com
> 
> Ouch! I just found something I really don't like about fetchmail. If you
> save the pass, it puts it in plain text in .fetchmailrc. Root is the
> only user that has any hope of hiding the pass, and I still dislike
> plain text passes since root can make mistakes or get root kit'd. Is
> there a better (more secure) email retrieval system out there?
> 
> D. Stimits, stimits at idcomm.com
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

I can't think of a system that would offer any protection in the event that your machine gets root'ed.  At that point, your remote POP3 password is probably just one of many larger concerns.

In order to automate a procedure that requires a password, it will need to be stored somewhere.  Maybe you can set up a trust using PKI and ssh.  There again, a stolen key will compromise your system.  If security is a high enough priority, you can probably devise some method of POP'ing manually immediately before running NS.  But if convenience is high on your wish list, security will probably suffer a bit.

-- 

  - John Hernandez - Network Engineer - 303-497-6392 -
 |  National Oceanic and Atmospheric Administration   |
 |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
  ----------------------------------------------------



More information about the LUG mailing list