[lug] Securing Fetchmail

dan radom dradom at redback.com
Tue Aug 7 11:38:44 MDT 2001


Don't put your password in ~/.fetchmailrc.  it will prompt you once and only once...until you reastart fetchmail.  you can also use fetchmail to pass mail directly to your MTA (procmail or the like) so you don't need a smtpd listening.

Dan

* David (dajo at frii.com) wrote:
> I am trying to secure my machine; but I want to minimise the amount of
> reading and studying I have to do.
> 
> Aside: This kind of approach (to Linux) has been discussed recently.
>        My excuse is that I have lots of work to do *using* Linux;
>        consequently my time for *configuring* Linux is limited.  Also,
>        of course, there will be others reading this, and any replies,
>        who will benefit as much as I.
> 
> So, I have an elementary firewall (courtesy RedHat) and I think that I
> understand how ipchains work.  But I know that there are gotchas, so
> how secure is it? 
> 
>        # Firewall configuration written by lokkit
>        # Manual customization of this file is not recommended.
>        # Note: ifup-post will punch the current nameservers through the
>        #       firewall; such entries will *not* be listed here.
>        :input ACCEPT
>        :forward ACCEPT
>        :output ACCEPT
>        -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
>        -A input -s 216.17.128.1 53 -d 0/0 -p udp -j ACCEPT
>        -A input -s 216.17.128.2 53 -d 0/0 -p udp -j ACCEPT
>        -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
>        -A input -s 0/0 -d 0/0 -p udp -j REJECT
> 
> I use telephone dialup to connect to my ISP, and I assume that that is
> reasonably secure, up until the moment when I am assigned an address.
> Then, I assume, my firewall gives me whatever protection it does
> against penetration of my machine via that address (hence the question
> above).
> 
> Next, I use fetchmail with a .fetchmailrc file.  So my ISP password is
> launched in the clear for the world to see.  So I started to read the
> man page for fetchmail.  Understanding all that is there, including
> understanding all the other things referred to will take me the rest
> of the week, at least.  I cannot do that, and I know that I need only
> a small part of what is there.  So I am doing this posting instead,
> hoping to bypass the eye-glazing stuff.
> 
> I thought that the -ssl option would do it for me, only to read that
> Raymond et al caution against it (!); for what is actually a very good
> reason: it does not provide protection against active attack.  Ssh
> tunnelling (whatever that is) is recommended instead.  Now I have
> started to use ssh (another "how secure is that?"), so it is working
> on my machine.  But the only information on how to do ssh tunnelling
> in the fetchmail man page is this:
> 
>        Here's  an  example configuration using ssh and the plugin
>        option.  The queries are made directly on  the  stdin  and
>        stdout  of  imapd  via ssh.  Note that in this setup, IMAP
>        authentication can be skipped.
> 
>        poll mailhost.net with proto imap:
>                plugin "ssh %h /usr/sbin/imapd" auth ssh;
>                        user esr is esr here
> 
> Well that looks pretty easy to type.  But the second line is a little
> tricky.  "Plugin" itself is ok, also the hostname parameter, but what
> is /usr/sbin/imapd?  I do not have one of those.
> 
> Also, why can IMAP (what is IMAP?) authentication be skipped?  Is it
> because ssh authentication is being used?  
> 
> Perhaps the most important question is: What is going to happen if I
> use this command?  I.e., what is not there that I am assumed to know?
> 
> Actually, I think that I am getting the idea.  The tunnel is just the
> ssh connection and then fetchmail uses that connection - right?  So I
> am back to IMAP again (no man page for imap, so is this something that
> I need to rpm-in?)
> 
> 
> Informative replies will be highly appreciated.  Security is an
> important topic, after all.  And it is true that a good number of
> people will benefit from such postings.
> 
> Thanks everyone.
> 
> dajo
> 
> P.S.  When I have got this going my next question is going to be "How
> do I secure my web browser - and, do I need to?" 8-)
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list