DSL logs

Devin Carraway aqua at atlantic.devin.com
Wed Jan 26 11:33:55 PST 2000 

On Wed, Jan 26, 2000 at 10:15:00AM -0800, E Frank Ball wrote:
> Can somebody explain what's happening here?  mail.sonic.net makes this
> attempt everytime I send mail or fetchmail, but the mail is working
> fine, and I think it is safe to assume that sofuku.monster.org isn't a
> friendly.
> 
> Also, is there a secure way to use fetchmail?

	As has already been pointed out, many SMTP servers send an RFC1413
ident request when they get a connection -- once upon a time it meant
something securitywise (if a mailserver got a connect whose ident wasn't any
of the usual mail users, it raised the chance that an incoming mail was a
forgery, so it could include the ident result in a Received: header to tell
the prospective recipient as much) -- now it doesn't mean much of anything. 
If it bothers you or you don't feel like supplying ident responses, you can
remove the in.identd entry from /etc/hosts.allow (you should have an ALL:ALL
in /etc/hosts.deny, remember :).

	Secure fetchmail: the easiest way that's available through your
average ISP is to tunnel pop3 through ssh.  To halfway approach real
security you'd have to ssh into the pop3 server itself, but tunnelling into
a machine on the ISP's network will at least improve the situation (sort of;
recall that you'd probably be sshing into a shell server, and shell and pop3
servers are the two best targets because both send a lot of cleartext
passwords).

	fetchmail can establish an ssh tunnel and tear it down when the pop
is completed -- set the pop3 server to localhost, using some local port
number you can open (above 1024, IOW, whatever looks reliably unoccupied). 
Then use fetchmail's 'preconnect' option to open an ssh tunnel from your
local port to your ISP pop server's pop3 port -- the command being of the
form 'ssh -L <localport>:pop.isp.net:110 shellserver.isp.net sleep 10' (the
sleep holds the connect long enough to start the POP transfer; after that
ssh will close the connection as soon as the tunnelled pop3 connect is
finished.

	Now that I've written all that, it transpires that the fetchmail
manpage has documentation on how to do all this, in the "configuration
examples" section.

	Other options for more secure fetchmail include APOP,
kerberos-authenticated pop3 and several forms of more securely authenticated
IMAP, none of which are reliably supported by most ISPs (or indeed by most
pop server software).

	Ultimately, unless you can get an ssh tunnel directly to your
mailserver, it's more secure simply to have your mail delivered directly
over the DSL connection, and ssh to your own machine to read it when you're
not around, rather than popping it.

-- 
Devin  \ aqua(at)devin.com, finger for PGP;  http://www.devin.com
Carraway \ IRC: Requiem  GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++

More information about the talk mailing list