Section 4.7 POP and IMAP Servers | Real World Linux Security Prentice Hall Ptr Open Source Technology Series

4.7 POP and IMAP Servers

graphics/fourdangerlevel.gif

One of the assumptions that Internet e-mail design was based on is that systems are large time-sharing systems that are up almost all the time. Thus, if a system's sendmail program could not contact the mail recipient's system, it assumed that the outage probably would be brief. Thus, it continued trying for a few days and then gave up if unsuccessful. Now, many people receive their e-mail on their desktop systems or even on their laptops. Because either of these may be down for days or even weeks during vacations, "store and forward" mechanisms were created. These allow your e-mail to be accumulated on a server that is up all the time and then downloaded to your own system when convenient. POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) are the most popular of these. Open source servers are available for Linux and open source clients are available for all popular platforms and they even are built into Netscape.

Post Office Protocol should not be confused with Point of Presence, also abbreviated POP, which means that a vendor, commonly an ISP, services a given city and hence has a point of presence there.

These protocols are very similar in capabilities. They suffer from the two common bugaboos: unencrypted data and an unencrypted password used to authenticate the user to initiate the downloading of mail. Because they are TCP protocols, the solution is to wrap them with SSL or SSH. Since the servers generally run as root so that anyone's mailbox may be accessed, there is the risk that a vulnerability, such as a buffer overflow bug, could allow a remote user to become root. One solution would be instead to have them run set-GID to the mail group.

The fetchmail program has been SSL-enabled since November 1999, thanks to the work of Mike Warfield. It is a popular mail retrieval and forwarding utility. It supports POP3, IMAP, and some other protocols. Mutt, a Mail User Agent, supports SSL-wrapped IMAP too.

Netscape Navigator 4.51, Netscape Messenger 4.6+, Outlook 98/2000, Outlook Express 5, and later versions of these programs can communicate with an SSL-wrapped IMAP or POP3 server. To enable SSL-wrapping in these simply click the "encrypt communications" button.

This set-GID technique will limit the damage that someone could do to reading, altering, or removing everyone's mail. Those using PGP would be at risk only for it being removed. The IMAP server is very similar to POP but is separate code so it will have different possible buffer overflow vulnerabilities.

POP3 and IMAP supports TCP Wrappers via libwrap. Unless employees need to download e-mail away from the office, either TCP Wrappers or IP Chains should be used to block access to your server from outside your organization.

To enable SSL-wrapped IMAP and POP3 on a Linux server, follow these steps:

Add the services to /etc/services if not already present:
```
 
```
```
 imaps 993/tcp pop3s 995/tcp 
```

Create the following two files in the /etc/xinetd.d directory owned by root with either mode 644 or 600 (xinetd-based systems).

imaps:

 # The IMAPS service allows remote users to access their # mail using an IMAP client with SSL support such as # Netscape Communicator or fetchmail. service imaps {         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/imapsd         log_on_success  += DURATION USERID         log_on_failure  += USERID         disable         = no }

pop3s:

 # The POP3S service allows remote users to access their # mail using an POP3 client with SSL support such as # fetchmail. service pop3s {         socket_type     = stream         wait            = no         user            = root         server          = /usr/sbin/ipop3sd         log_on_success  += USERID         log_on_failure  += USERID         disable         = no }

Add the invocations to /etc/inetd.conf (inetd-based systems):
```
 
```
```
 imaps stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p imap pop3s stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p pop-3 
```
The sslproxy program (and the other components of SSL) may be downloaded from

www.openssl.org/

There are alternatives to SSL-wrapped POP and IMAP, including SSH-wrapped POP and KPOP which uses Kerberos. Documentation on setting up SSH-wrapped POP may be obtained from

www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html

4.7.1 Passwords on the Command Line, Oh My!

graphics/fourdangerlevel.gif

A few programs, such as popclient and smbpasswd, allow you to specify passwords on the command line. These are visible to anyone on the system invoking ps.

Passwords on the command line really should not be allowed and it is recommended that the sources to these programs be obtained and this feature replaced with a feature to read the password from a specified file not accessible to users other than the user invoking the program (mode 400 or 600).

In the case of popclient and similar programs, removing the -p passwd flag and creating a -P passwd_file that reads the password from the file passwd_file, that could be "-" for standard input, is suggested. Typically the argument to -p is stored in a string pointer or buffer. You might have to add your own buffer and certainly you will need to guard against buffer overflows if the program runs privileged (set-UID, set-GID, or invoked by a privileged user such as root).

For popclient, the following changes to the parsecmdline function in popclient.c will solve this problem, allowing its safe use in automated scripts. A version of the popclient source with this and other enhancements is available on the companion CD-ROM.

Add a -P flag by changing

 while (!errflag &&      (c = getopt(argc,argv,"23Vkvscu:p:f:o:m:n:")) != EOF) {

 while (!errflag &&      (c = getopt(argc,argv,"23Vkvscu:p:P:f:o:m:n:")) != EOF) {

Find the line

 case 'p':

and change the two lines after it from

 strcpy(options->password,optarg); break;

 fprintf(stderr,   "popclient: -p disabled for security; use -P\n"); exit(1);

Then add the following case immediately following the last change disabling -p:

 case 'P':          if (!strcmp(optarg, "-"))                   c = 0;  /* - is stdin. */          else                   c = open(optarg, 0);          if (c < 0) {                   perror(optarg);                   exit(2);          }          i = read(c, options->password, PASSWORDLEN);          if (c)                   close(c);/* Close if not stdin. */          if (i < 0 || i >= PASSWORDLEN            || !(s = strchr(options->password, '\n'))) {                    /*                     * i < 0: error                     * i >= PASSWORDLEN: too long                     * !s: missing newline                     */                    fprintf(stderr, "popclient: -P:"                          "bad length %d\n", i);                    exit(1);          }          *s = '\0';      /* Chop at newline. */          break;

Update the usage message by finding the line containing
```
 
```
```
 [-p server-password] 
```
and changing that portion to
```
 
```
```
 [-P server-password-file] 
```

Being perfectionists, change the line

 /* clean up the command line in case -p was used */

 /* clean up the command line in case -P was used */

Search for -p in popclient.1L, the man page, and make the obvious changes to document -P.
Compile it via make and install (running as root) via make install.

Top