fetchmail and plain text password

Tue Dec 29 12:55:22 UTC 2009

On Tue, Dec 29, 2009 at 11:11:50AM +0000, Anton Shterenlikht wrote:
> > 
> > With these changes, only you and the superuser can read that file. 
> 
> yes, an attacker gaining superuser access is my worry.
> I'm reading Garfinkel and Spafford (1996) Practical UNIX & internel security
> (a bit out of date, I know. I ordered the 3rd edition, 2003),
> and I realised there are a lot of potential security issues, of which
> I wasn't aware. Things like SUID/SGID files could be an issue,
> and lots of other things.

If an attacker gains superuser privilege, you're screwed. But remote attacks
are the least of your worries, IMHO. If an attacker has physical access to
your machine, he can simply rip out the harddisk an peruse its contents at
his leasure. That is why you need disk encryption. Or he could put a hardware
keylogger between your keyboard and the computer to gat your passwords.

So, 

1) Make sure that the room where your machine is located can be
   and is locked when you are away, denying attackers physical access.
2) Encrypt those partitions that contain sensitive data using geli(8), in case
   (1) fails.

After that you can start worrying about remote attacks. 

3) Activate a firewall that is set up to deny incoming connections be
   default, unless they go to a port that is allowed. 
4) If you need to run servers, consider running them in a jail(8) or at least
   in a chroot(8) environment. Look e.g. how it is done for named(8), see
   /etc/rc.d/named. 

> > I'd be more worried that your password is sent as plaintext over the network
> > using e.g. POP3. You should use the --ssl option if your mailserver allows it.
> 
> it looks like it doesn't allow ssl.

Does it allow SSH connections to the mail machine, so you can tunnel fetchmail
over ssh? Look at the ssh(1) manpage, specifically the '-L' port forwarding
option.

> > > Or maybe there is another software solution
> > > alltogether?
> > 
> > Presumably you are running a mailserver on your box. You can ask the
> > administrator to forward mail to your machine by making an MX record for it.
> 
> not sure I understand you here. I run sendmail daemon just for sending mail
> out of the box, and delivery of internal mail inside the box. Sendmail
> doesn't listen for any incoming connections.
> Could you please elaborate, or give a link.

Your mail admin should set up the uni's MTA so that mail for you is sent to
the MTA on your machine. You should set up your MTA and firewall so that your
MTA will and can listen for incoming connections and process them. If the
uni's mailserver holds on to mail and tries to deliver it at intervals, this
is called batched SMTP or bSMTP, if it tries to deliver immediately, it is
just SMTP. Note that for SMTP to work, your machine had best be on 24/7.

The details of how this is done depend on the MTA that you and the university
are using, and e.g. if address rewriting is used and if so, how.

The most common scenario would be that when an e-mail for you arrives at the
uni mailserver, it re-writes the address from <mexas at bristol.ac.uk> to
<mexas at yourmachine.bristol.ac.uk>, where 'yourmachine' is the hostname of your
machine on the university network. It would then forward the mail to the MTA
on yourmachine.bristol.ac.uk. An opposite rewrite should be done when your
MTA pushes stuff to the uni webserver. But whether your MTA should do that or
the uni's MTA is a question of policy.

In short: for details, talk to a mail/network administrator. :-)

Roland
-- 
R.F.Smith                                   http://www.xs4all.nl/~rsmith/
[plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated]
pgp: 1A2B 477F 9970 BA3C 2914  B7CE 1277 EFB0 C321 A725 (KeyID: C321A725)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20091229/e467459d/attachment.pgp