OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: POP3 Security Issues

Re: POP3 Security Issues

Nicholas Brawn (ncbokugi.com)
Wed, 2 Dec 1998 19:33:27 -0600 (CST)

On Wed, 2 Dec 1998, Doug Hughes wrote:
> Jason Axley wrote:
> >
> >As for Nicholas Brawn's question about other clients (including
> >fetchmail), I don't know of any, but I haven't looked. Did you roll
> >the SSL into qpopper yourself, or are patches readily available for
> >that? Does it use SSLeay? I'm interested!

I must have missed Jason's earlier email. Yes it does use SSLeay, I wrote
the patches myself, and best of all - i'm not located in the US. :)

[snip]
> I'm interested in the SSL -> qpopper integration as well. I hadn't seen
> this before.

The current implemenation of mine is very "hacky". I initially set it up
so that the server listens for incoming SSL connections, and failing that,
switches to a non-SSL connection. The problem with that is that it
requires the mail clients/retrievers to effectively "test" the server.
However we want the server to be smart, not the client. My current version
runs in either SSL or non-SSL mode, and displays something along the lines
of "Non-SSL connections are not allowed" before disconnecting when someone
tries to retrieve mail over a non-SSL connection.

>
> --
> ____________________________________________________________________________
> Doug Hughes Engineering Network Services
> System/Net Admin Auburn University
> dougeng.auburn.edu

Cheers,
Nick

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:12:10 CDT