RE: POP3
From: Gary McKinney (gmckinney@megabits.net)Date: 03/02/02
- Previous message: dewt: "Re: Netscape Communicator vs IE"
- In reply to: Burleson, Lee (IA): "RE: POP3"
- Next in thread: Håkan Stensby: "RE: POP3"
- Next in thread: irado furioso com tudo: "RE: POP3"
- Reply: Håkan Stensby: "RE: POP3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Gary McKinney" <gmckinney@megabits.net> To: "Burleson, Lee (IA)" <Lee.Burleson@ia.ngb.army.mil>, <shady@netway.at>, <security-basics@securityfocus.com> Date: Sat, 2 Mar 2002 09:46:48 -0500
Lee - there is one "caveat" to what you have stated...
The "question" was what were the security implications of allowing users to
use POP3 to access external email servers (not the exchange server and you
are correct about POP3 to the exchange server)...
The external email servers should have a different username and password
than the internal exchange server to start with - if the external email
server supports encrypted (secure POP3) then all the better...
personally I would have the external email server forward the email to the
user through the exchange server and NOT give them POP-3 access to an
outside email server... The reason for this is two-fold:
1. You can setup filters on the firewall and install third-party virus
scanners on the exchange server to "trap" malicious attachments on the email
and....
2. Control the use of the email system for business purposes only....
The first one is really the main one!!! Most of the email virus and Trojan
attachments getting through to company systems has entered through external
POP-3 accounts on internal workstations... Even if you filter at the
workstation with virus scanners you may miss some of them (especially the
new ones that have not been picked out of the wild and have virus signatures
or the workstation is not totally up to date on the signature file). By
having the external email routed to the exchange server you can setup
third-party filters and virus scanners to "trap" by attachment and content
to stop the virus code before it can do damage...
Just some thoughts...
gm...
> -----Original Message-----
> From: Burleson, Lee (IA) [mailto:Lee.Burleson@ia.ngb.army.mil]
> Sent: Wednesday, February 27, 2002 11:18 PM
> To: 'shady@netway.at'; 'security-basics@securityfocus.com'
> Subject: RE: POP3
>
>
> Take the following into consideration...
>
> Given:
> * POP3 authentication is clear text
> * MS Exchange authenticates against NT/2000 user accounts
>
> Therefore:
> * The POP3 username & password are the same credentials used to
> access network resources.
> * Compromised POP3 credentials will also compromise the entire
> domain.
>
> Conclusion: POP3 is a bad idea, even in a LAN.
>
> - Lee
>
>
> -----Original Message-----
> From: shady@netway.at [mailto:shady@netway.at]
> Sent: Saturday, February 23, 2002 4:00 PM
> To: security-basics@securityfocus.com
> Subject: POP3
>
>
>
>
> My users want me to to give them POP3 access via
> the firewall. We have an Exchange Server runnig with
> a Checkpoint Firewall. Are there any security issues
> that I need to watch out
- Previous message: dewt: "Re: Netscape Communicator vs IE"
- In reply to: Burleson, Lee (IA): "RE: POP3"
- Next in thread: Håkan Stensby: "RE: POP3"
- Next in thread: irado furioso com tudo: "RE: POP3"
- Reply: Håkan Stensby: "RE: POP3"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
