Securing POP3

Like SMTP, POP3 is unencrypted. Unlike SMTP, however, it requires authentication: Users have to identify themselves and prove they're who they claim to be. Unfortunately, the authentication usually consists of presenting a username and a password known only to the user and the POP3 server. Because the POP3 dialogue is unencrypted, an eavesdropper can obtain a user's username and password and reuse them to access the user's mailbox. So, plain POP3 exposes the contents of the mail messages the user retrieves, and it exposes their username and password, which can then be reused by someone else.

Wrapping the POP3 dialogue with transport-layer security such as SSL solves both of these problems. Because SSL-wrapped POP3 sessions are encrypted from beginning to end, no messages, usernames, or passwords are exposed in clear text.

The optional POP3 command, APOP, replaces the standard USER/PASS authentication with a challenge/response authentication mechanism. This solves the problem of the disclosure of reusable passwords, but does nothing to prevent eavesdroppers from reading user's mail messages as they're retrieved.

Wrapping POP3 with SSL

As with SSL-wrapped SMTP (see Chapter 7, "Configuring qmail: Advanced Options"), the first step is to install an SSL wrapper utility such as Stunnel or SSLWrap. See Chapter 7 for pointers to these utilities and instructions for installing Stunnel.

Setting Up an SSL-Wrapped qmail-pop3d Service

With qmail, daemontools, and Stunnel installed, and a qmail-pop3d service configured, you can set up an SSL-wrapped POP3 service. See "Installing qmail-pop3d" earlier in this chapter for help on setting up a qmail-pop3d service.

1. Create /var/qmail/supervise directories for the new service:

    # mkdir -p /var/qmail/supervise/pop3sd/log # chmod +t /var/qmail/supervise/pop3sd # 

2. Create /var/qmail/supervise/pop3sd/run containing this:

    #!/bin/sh MAXPOP3SD='head -1 /var/qmail/control/concurrencypop3s' exec /usr/local/bin/softlimit -m 3000000 \    /usr/local/bin/tcpserver -v -R -H -l 0 -x /etc/tcp.pop3s.cdb -c "$MAXPOP3SD" \          0 995 /usr/local/sbin/stunnel -f -p /usr/local/etc/stunnel.pem \          -l /var/qmail/bin/qmail-popup — qmail-popup FQDN /bin/checkpassword \          /var/qmail/bin/qmail-pop3d Maildir 2>&1 

This script is modeled after the /var/qmail/supervise/qmail-pop3d/run script from "Installing qmail-pop3d." The changes have been highlighted in bold.

The first change is to use a new nonstandard control file, concurrencypop3s, to limit the number of simultaneous secure POP3 connections.

The second change is to raise the memory limit from 2000000 to 3000000. Adding the stunnel process and the SSL encryption code requires more memory. On some platforms, you might have to raise the limit even higher.

The third change is to specify a new access control database for secure POP3 connections: /etc/tcp.pop3s.cdb.

The next change is to use port 995 instead of 110 (POP3). Port 995, also known as pop3s, is the standard port for secure POP3.

The last change is to replace the qmail-popup invocation with a stunnel invocation that runs qmail-popup. The stunnel command arguments are as follows:

• -f keeps stunnel in the foreground, which supervise requires.

• -p /usr/local/etc/stunnel.pem specifies the location of the server's Privacy Enhanced Mail (PEM) key.

• -l /var/qmail/bin/qmail-popup tells stunnel to run qmail-popup to handle the protocol dialogue.

• -tells stunnel that the remaining command-line arguments are the name of the program being run, qmail-popup, and the arguments for that program.

3. Create /var/qmail/supervise/pop3sd/log/run containing this:

    #!/bin/sh exec /usr/local/bin/setuidgid qmaill /usr/local/bin/multilog \   t /var/log/qmail/pop3sd 

4. Create /var/qmail/control/concurrencypop3s, in this example, limiting simultaneous secure POP3 connections to 20:

    # echo 20 > /var/qmail/control/concurrencypop3s # 

5. Create the secure POP3 access database. The file /etc/tcp.pop3s is the human-readable version of the access database. It's analogous to the SMTP access database in /etc/tcp.smtp set up in Chapter 2, "Installing qmail." The tcprules command is used to convert the human-readable version into a machine-readable version, /etc/tcp.pop3s.cdb. For example, to restrict access to hosts on the local network, 192.168.x.x, and the local host, you would create /etc/tcp.imap, using your text editor, containing this:

    192.168.:allow 127.:allow :deny 

6. Set the permissions on the run scripts and create the log directory:

    # chmod 755 /var/qmail/supervise/pop3sd/run # chmod 755 /var/qmail/supervise/pop3sd/log/run # mkdir /var/log/qmail/pop3sd # chown qmaill /var/log/qmail/pop3sd # 

7. Link the service to /service:

    # ln -s /var/qmail/supervise/pop3sd /service # 

8. Add the following to qmailctl's start section:

    if svok /service/pop3sd ; then     svc -u /service/pop3sd else     echo pop3sd supervise not running fi 

9. Add the following to qmailctl's stop section:

    echo "  pop3sd" svc -d /service/pop3sd 

10. Add the following to qmailctl's stat section:

     svstat /service/pop3sd svstat /service/pop3sd/log 

11. Add the following to qmailctl's pause section:

     echo "Pausing pop3sd" svc -p /service/pop3sd 

12. Add the following to qmailctl's cont section:

     echo "Continuing pop3sd" svc -c /service/pop3sd 

13. Add the following to qmailctl's restart section:

     echo "* Restarting pop3sd." svc -t /service/pop3sd 

14. Add the following to qmailctl's cdb section:

     tcprules /etc/tcp.pop3s.cdb /etc/tcp.pop3s.tmp < /etc/tcp.pop3s chmod 644 /etc/tcp.pop3s.cdb echo "Reloaded /etc/tcp.pop3s." 

15. Build /etc/tcp.pop3s.cdb:

     # qmailctl cdb Reloaded /etc/tcp.smtp. Reloaded /etc/tcp.pop3. Reloaded /etc/tcp.pop3s. # 

16. Verify that the service is running:

     # svstat /service/pop3sd /service/pop3sd: up (pid 22355) 8 seconds # telnet 0 995 Trying 0.0.0.0. . . Connected to 0. Escape character is '^]'. junk junk Connection closed by foreign host. # 

17. Test the secure POP3 service using a compatible MUA. For example, using fetchmail, with a $HOME/.fetchmailrc containing this:

     poll dolphin proto pop3 no dns     user doug with password Adm1ral is doug here     fetchall     mda "/var/qmail/bin/qmail-inject doug" 

    should result in something like this:

     $ fetchmail -v —ssl fetchmail: 5.7.4 querying dolphin (protocol POP3) at Sun 29 Jul 2001 08:05:11 PM EDT fetchmail: Issuer Organization: Example, Inc fetchmail: Issuer CommonName: dolphin.example.com fetchmail: Server CommonName: dolphin fetchmail: Issuer Organization: Example, Inc fetchmail: Issuer CommonName: dolphin.example.com fetchmail: Server CommonName: dolphin fetchmail: POP3< +OK <22376.996451531@dolphin.example.com> fetchmail: POP3> CAPA fetchmail: POP3< -ERR authorization first fetchmail: authorization first fetchmail: POP3> USER * fetchmail: POP3< +OK fetchmail: POP3> PASS * fetchmail: POP3< +OK fetchmail: POP3> STAT fetchmail: POP3< +OK 0 0 fetchmail: No mail for test at dolphin.example.com fetchmail: POP3> QUIT fetchmail: POP3< +OK fetchmail: normal termination, status 1 $ 

As you can see from the verbose output, the session is successfully established using SSL.

Using APOP Authentication

If your primary security concern is preventing the use of reusable passwords, APOP authentication might be the way to go. It's easier to set up than SSL-wrapped POP3—mostly because no certificates are involved. Unfortunately, APOP requires the server to store the POP passwords somewhere on the server. The file or files that store these passwords must be carefully protected.

Enabling APOP with a qmail-pop3d service is a simple matter of replacing checkpassword with an APOP-enabled implementation. One APOP-ready checkpassword replacement is checkpw, which is available from the Web (http://www.geocities.co.jp/SiliconValley/4777/qmail/checkpw/index.html).

Enabling APOP with a POP3 Service

You can enable APOP once you have qmail and daemontools installed, and a qmail-pop3d service configured. See "Installing qmail-pop3d" earlier in this chapter for help setting up a qmail-pop3d service. Follow these steps:

1. Using your Web browser or a command-line Web utility like wget, download the checkpw source tarball. At the time of this writing, the current release is 0.80. For example, using the wget utility, do this:

    $ wget http://www.geocities.co.jp/SiliconValley/4777/qmail/checkpw/\ > checkpw-0.80.tar.gz --21:24:49--  http://www.geocities.co.jp/SiliconValley/4777/qmail/checkpw/checkpw -0.80.tar.gz             => 'checkpw-0.80.tar.gz' Connecting to www.geocities.co.jp:80... connected! HTTP request sent, awaiting response... 200 OK Length: 28,392 [application/x-tar]     0K ->  ...........................                                 [100%] 21:25:09 (1.68 KB/s) - 'checkpw-0.80.tar.gz' saved [28392/28392] $ 

2. Unpack the tarball:

    $ gunzip checkpw-0.80.tar.gz $ tar xf checkpw-0.80.tar $ cd checkpw-0.80 $ 

3. Build the binaries:

    $ make (cat warn-auto.sh; \ echo 'main="$1"; shift'; \ echo exec "'head -1 conf-ld'" \ ...lots of output, ending with something like: ./load install hier.o auto_home.o unix.a byte.a ./compile instcheck.c ./load instcheck hier.o auto_home.o unix.a byte.a $ 

4. Install the programs:

    $ su Password: rootpassword # make setup check ./install ./instcheck # 

5. Install APOP passwords. checkpw stores APOP passwords in plain text in a file called .password in the POP3 maildir. The .password files must not be readable by anyone other than the owner of the maildir. For example, as a POP3 user on system using $HOME/Maildir for the POP3 maildir:

    $ echo P4ssw0rd > $HOME/Maildir/.password $ chmod 600 $HOME/Maildir/.password $ 

6. Modify the qmail-pop3d startup command, which is usually located in /service/qmail-pop3d/run. Replace the checkpassword invocation with a checkapoppw invocation. For example:

    #!/bin/sh MAXPOP3D='head -1 /var/qmail/control/concurrencypop3' exec /usr/local/bin/softlimit -m 2000000 \     /usr/local/bin/tcpserver -v -R -H -l 0 -x /etc/tcp.pop3.cdb -c "$MAXPOP3D" \         0 110 /var/qmail/bin/qmail-popup FQDN /bin/checkapoppw \             /bin/loginlog \             /var/qmail/bin/qmail-pop3d Maildir 2>&1 

7. Restart the qmail-pop3d service. For example:

    # svc -t /service/qmail-pop3d # 

8. Test the APOP authentication using a compatible MUA. For example, using getmail with a $HOME/.getmail/getmailrc containing this:

    [default] [Test] server = dolphin.example.com username = maryjane password = Rud0lph postmaster = ~/Maildir/ use_apop = 1 

   should result in output like this:

    $ getmail getmail v.2.1.3 - POP3 mail retriever with reliable Maildir and mbox delivery.   (ConfParser version 2.0) (timeoutsocket version 1.12) Copyright (C) 2001 Charles Cazabon <getmail @ discworld.dyndns.org> Licensed under the GNU General Public License version 2. See the file COPYING for details. dolphin.example.com: POP3 session initiated on port 110 for "maryjane" dolphin.example.com: POP3 greeting:  +OK <25505.997638074@dolphin.example.com> dolphin.example.com: POP3 APOP response:  +OK dolphin.example.com: POP3 list response:  +OK   msg #1 : len 302 ... retrieved ... delivered to postmaster ... deleted dolphin.example.com: finished retrieving messages dolphin.example.com: POP3 session completed for "maryjane" dolphin.example.com: retrieved 0 messages for 0 local recipients $ 

As you can see from the verbose output, authentication using APOP is successful.