Mailing List SIMS@mail.stalker.com Message #12593
From: Bill Cole <listbill@scconsult.com>
Subject: Re: APOP.
Date: Tue, 25 Feb 2003 17:43:32 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 3:41 PM -0600 2/25/03, Chris Wagner  imposed structure on a stream of electrons, yielding:
Trying to figure out a better way to allow remote users to use their
mailboxes for a reasonably longer time period you can set SIMS up to "treat
authenticated IPs as client host".

I guess my question is this:

How much more secure (or is it more secure) / less of a relay opportunity to
setup APOP?

APOP is not directly related to relay. It's a POP3 option, not an SMTP option.

If you don't require APOP of POP3 users, it is theoretically possible for their passwords to be sniffed out on the wire. This is less likely on the modern net than it was when APOP was invented, but it is a risk. If someone can get into a position where they can watch the traffic 'on the wire' to your mail server, the non-APOP passwords are right there to be read.

APOP does this by using a challenge/response method instead of a simple password login. When you connect to an APOP-capable server, you get an initial banner like this:

+OK Stalker POP3 Server 1.8b9d14 at sc1.scconsult.com ready <1077.3129056303@sc1.scconsult.com>

The last bit in angle brackets is a 'challenge' that varies with every session. With APOP, that string and the user's password are squished together by the client, hashed, written in hexidecimal notation, and sent back in an APOP command:

APOP bill 9130d9f6f377267d2133f5dc879cef96

The 'hash' is a one-way function so there's no way for a sniffer to turn that 32-digit hex string back into a password plus the challenge string except by brute force checking of all possible passwords. However, the server can verify this way that the client knows the right password.

The only historical argument against APOP is that it requires that the server have an unencrypted (or reversibly encrypted) record of the password. Traditional Unix systems don't have that by default, as they only retain hashed passwords. That means that the password has to exist in a retrievable form someplace that otherwise wouldn't have it. For SIMS, this is a pointless issue because SIMS stores cleartext passwords in the resource fork of the account file anyway.

At that point (running APOP for each box), would SIMS rely on the IP from
the sender's network to verify against its client host list?

If this is the case, then how can you work around this and not totally set
yourself up as a relay?

I guess I'm a bit confused.

Umm... yeah...

APOP doesn't change how SIMS does POP-before-SMTP, i.e. the "For <x> min. authenticated IPs are treated as Client ones" option in the SMTP settings. Whether the user authenticates with a password or with APOP, the single IP address he is connecting from gets a free pass as a client (i.e. can relay) for whatever time you set. In older versions this was not a variable time, but was limited to something strict like 30 seconds. The risk of raising that time is that a lot of users hold on to their IP address for just as long as it takes to grab mail, and within seconds of their hanging up, the address is reassigned to someone else. That argues against anything really long, but 1 or 3 minutes should be okay.

--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster