[NCLUG] Stamping out clear-text passwords (was Re: webhosting question)

[John L. Bass]

I forgot to say this is very easy on later RedHat systems:

	[root at mybox root]# chkconfig imaps on
	[root at mybox root]# chkconfig pop3s on
	[root at mybox root]# chkconfig imap off
	[root at mybox root]# chkconfig pop2 off
	[root at mybox root]# chkconfig pop3 off
	[root at mybox root]# chkconfig --list | egrep "imap|pop"
		imap:   off
		imaps:  on
		ipop2:  off
		ipop3:  off
		pop3s:  on

Then enable ssl encryption in the mail reader client. In Mozilla mail reader that is:

    edit -> "Mail & Newsgroups Account Settings",
    then in the "Server Settings" box, check "Use secure connection (SSL)"

John


	If the other end is a Linux/FreeBSD/Unix server with the SSL libraries, the
	easiest thing is to enable POP3/IMAP with SSL to solve the clear text problems.
	Just as a number of shops have dropped ftp/telnet for clear text password
	security problems, the same should be true of POP3/IMAP.

	John

		<embarassed admission>I've been using ssh & sftp exclusively for a while
		now, quite smugly, and never even thought of the authentication step in
		POP3.</embarassed admission>

		So, how does one tunnel POP3 through ssh?  And what about on
		Windows/MSOutlook, do I have *any* secure options there?  

		--Rich

		On 15 Oct 2002, Chris Riddoch wrote:
		> I'd like to take this moment to mention that Peak to Peak only allows
		> you to use FTP to upload pages to your web space, and only provides
		> POP3 for pulling down email from their server, both of which send your
		> passwords in the clear.