Installing POP servers on linux?

John Chambers,,,781-647-1813 jc at trillian.mit.edu
Sat Sep 4 20:15:43 EDT 1999 

Derek Martin <dmartin at lancity.COM>

	On Fri, 3 Sep 1999, Derek Martin wrote:

	> On Fri, 3 Sep 1999, Brian Conway wrote:
	> 
	> > > Install IMAP. It provides the daemons you seek.
	> > 
	> > And is highly and easily exploitable even on a good day.  Seriously
	> 
	> I was aware of a buffer overflow problem in IMAP, but all my information
	> (including looking at the CERT advisories) seems to suggest that it has
	> been fixed since RH 5.2  and for those with older distros there are update
	> rpms that fix the known vulnerabilities.

	Incidentally, CERT also had vulnerability report of buffer overflows on
	qpopper.

Jeez; you'd think they have purged gets from all the  C libraries  by
now! ;-)

Buffer overflows aside, I did get ipop3d running, dug around  in  the
RFC,  and  threw  together  a  little tcl testing tool to exercise it
remotely.  In the process, I got curious about Redhat's (linuxconf's)
gimmick for adding POP3 users to the system.  It includes options for
creating a POP-only user.  I suspect that IMAP will work as well, but
that  wasn't what got me curious.  It seemed that they were trying to
be reassuring that such a user could do nothing but fetch mail.   The
use  of  /bin/false  as  the  shell looks reassuring, and of course a
login attempt simply got a new login prompt.

So, just for the fun of it, I decided to ftp to  the  site  and  tell
ftpd that I was the POP-only user.  It worked just fine. And I wasn't
in with any sort of restricted, anonymous permissions.  I could cd to
/etc without problem, and could get a copy of any of the files there.

Now, a logged-in user can do the same thing, of course,  though  it's
not quite as easy. But as I said, I'd gotten the impression that this
was being set up as an email-only account.  Not hardly.

I spent a little time wandering around in CERT, and  asked  altavista
if  it knew anything that combined POP and FTP and security.  It did,
but they  all  seemed  to  be  like  the  first  one:   "Super  Cheap
Webhosting,  500 megs, Unlimited POP3's, Unlimited FTP, Only $18.45".
Nothing visible resembling a discussion of this potential problem.

<sigh>

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list