Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?

From: Jem Berkes (jb_dontuse@pc9.org)
Date: 03/11/02


From: Jem Berkes <jb_dontuse@pc9.org>
Date: Mon, 11 Mar 2002 06:10:34 GMT


> but in the end the machine is still using the same old smtp plain text
> login, so i don't really see the point and don't see how i can ensure
> security against a cracker sniffing what he knows to be the first N
> number of packets in a POP or IMAP exchange.

You're right (remember it's not SMTP for retrieving mail, however). I
don't know the specifics of those library calls, but in either case any
webmail type of system is going to use plaintext passwords.

This is a huge security risk, but you can get around it safely if the
following conditions are met:

1) Webmail is only available through SSL (eg Apache mod_ssl)
2) The webmail system is connected to the mail servers through a route
that never leaves the ISP (i.e. packets never go public)
3) No other access, i.e. no external POP access available on the same box
that does the webmail

> furthermore, the reason why they want a *browser* based email service
> is so that when they are on the road they can just use the clients'
> browsers to get their mail. Now correct me if i'm in error here, but
> isn't that a giant step in the direction of breaking security in
> itself? that means whatever crackers may be doing at client sites
> automatically infects this webmail server.

SSL...

Check out nullwebmail. This thing's beautiful. I'm running it at my site
through SSL only.

http://nullwebmail.sourceforge.net/

-- 
Jem E. Berkes
IEEE member, Winnipeg

http://www.pc-tools.net/ Windows, Linux & UNIX software



Relevant Pages

  • Re: webmail server & getpwnam "inherently unreliable" -- Precisely why is that?
    ... > but in the end the machine is still using the same old smtp plain text ... This is a huge security risk, but you can get around it safely if the ... Webmail is only available through SSL ...
    (comp.os.linux.security)
  • RE: Using Web mail (hotmail, gmail, yahoo, etc) for Business mails
    ... Another issue with these webmail products is the mass storage that they now ... In highly secured environments they can pose as much of a security ... risk as USB drives and removable storage. ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • [NT] Argosoft Mail Server Plus/Pro Webmail Reverse Directory Traversal
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Argosoft Mail Server Pro contains a built-in HTTP server for webmail ... server or of the mail attachments for a valid user. ... Any Windows system using the webmail feature of Argosoft Mail Server Plus ...
    (Securiteam)
  • slow SSL Apache on DS25 ?
    ... AlphaServer DS25. ... All mail is read through webmail, and is handled by an SSL ... Cel NEC (Netwerken, Externe communicatie en Communicatie-Servers) ...
    (Tru64-UNIX-Managers)
  • Webserver WebMail and Security Options
    ... My users need Webmail and Web based Exchange works great for them. ... I've read many times don't enable Port 80 for security reasons. ... minmize security I can use a seperate box from from the SBS Server (it ... still have WebMail go to the SBS Server? ...
    (microsoft.public.windows.server.sbs)