[lug] Securing Fetchmail

dan radom dradom at redback.com
Tue Aug 7 11:43:44 MDT 2001 

sorry about replying to my own messages, but i forgot to include something.  i use ssh port forwarding to access my pop.  i poll localhost port 9110 which forwards the request to another host on the local segment as my pop3d port 110.  works like a charm.  here's the ssh line...

ssh -1 -L9110:pop:110 -L 9111:pop:25 -L8080:webproxy:80 -L7326:icb:7326 dradom at ssh.redback.com



* dan radom (dradom at redback.com) wrote:
> Don't put your password in ~/.fetchmailrc.  it will prompt you once and only once...until you reastart fetchmail.  you can also use fetchmail to pass mail directly to your MTA (procmail or the like) so you don't need a smtpd listening.
> 
> Dan
> 
> * David (dajo at frii.com) wrote:
> > I am trying to secure my machine; but I want to minimise the amount of
> > reading and studying I have to do.
> > 
> > Aside: This kind of approach (to Linux) has been discussed recently.
> >        My excuse is that I have lots of work to do *using* Linux;
> >        consequently my time for *configuring* Linux is limited.  Also,
> >        of course, there will be others reading this, and any replies,
> >        who will benefit as much as I.
> > 
> > So, I have an elementary firewall (courtesy RedHat) and I think that I
> > understand how ipchains work.  But I know that there are gotchas, so
> > how secure is it? 
> > 
> >        # Firewall configuration written by lokkit
> >        # Manual customization of this file is not recommended.
> >        # Note: ifup-post will punch the current nameservers through the
> >        #       firewall; such entries will *not* be listed here.
> >        :input ACCEPT
> >        :forward ACCEPT
> >        :output ACCEPT
> >        -A input -s 0/0 -d 0/0 -i lo -j ACCEPT
> >        -A input -s 216.17.128.1 53 -d 0/0 -p udp -j ACCEPT
> >        -A input -s 216.17.128.2 53 -d 0/0 -p udp -j ACCEPT
> >        -A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
> >        -A input -s 0/0 -d 0/0 -p udp -j REJECT
> > 
> > I use telephone dialup to connect to my ISP, and I assume that that is
> > reasonably secure, up until the moment when I am assigned an address.
> > Then, I assume, my firewall gives me whatever protection it does
> > against penetration of my machine via that address (hence the question
> > above).
> > 
> > Next, I use fetchmail with a .fetchmailrc file.  So my ISP password is
> > launched in the clear for the world to see.  So I started to read the
> > man page for fetchmail.  Understanding all that is there, including
> > understanding all the other things referred to will take me the rest
> > of the week, at least.  I cannot do that, and I know that I need only
> > a small part of what is there.  So I am doing this posting instead,
> > hoping to bypass the eye-glazing stuff.
> > 
> > I thought that the -ssl option would do it for me, only to read that
> > Raymond et al caution against it (!); for what is actually a very good
> > reason: it does not provide protection against active attack.  Ssh
> > tunnelling (whatever that is) is recommended instead.  Now I have
> > started to use ssh (another "how secure is that?"), so it is working
> > on my machine.  But the only information on how to do ssh tunnelling
> > in the fetchmail man page is this:
> > 
> >        Here's  an  example configuration using ssh and the plugin
> >        option.  The queries are made directly on  the  stdin  and
> >        stdout  of  imapd  via ssh.  Note that in this setup, IMAP
> >        authentication can be skipped.
> > 
> >        poll mailhost.net with proto imap:
> >                plugin "ssh %h /usr/sbin/imapd" auth ssh;
> >                        user esr is esr here
> > 
> > Well that looks pretty easy to type.  But the second line is a little
> > tricky.  "Plugin" itself is ok, also the hostname parameter, but what
> > is /usr/sbin/imapd?  I do not have one of those.
> > 
> > Also, why can IMAP (what is IMAP?) authentication be skipped?  Is it
> > because ssh authentication is being used?  
> > 
> > Perhaps the most important question is: What is going to happen if I
> > use this command?  I.e., what is not there that I am assumed to know?
> > 
> > Actually, I think that I am getting the idea.  The tunnel is just the
> > ssh connection and then fetchmail uses that connection - right?  So I
> > am back to IMAP again (no man page for imap, so is this something that
> > I need to rpm-in?)
> > 
> > 
> > Informative replies will be highly appreciated.  Security is an
> > important topic, after all.  And it is true that a good number of
> > people will benefit from such postings.
> > 
> > Thanks everyone.
> > 
> > dajo
> > 
> > P.S.  When I have got this going my next question is going to be "How
> > do I secure my web browser - and, do I need to?" 8-)
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list