|
Message-ID: <20080808205935.GA29303@openwall.com> Date: Sat, 9 Aug 2008 00:59:35 +0400 From: Solar Designer <solar@...nwall.com> To: popa3d-users@...ts.openwall.com Subject: Re: denying certain system users from checking for mail On Fri, Aug 08, 2008 at 02:38:39PM -0500, TLD Popa3d wrote: > Is there a way with popa3d to do like a deny.users list or > something? I'm just looking for a way to tighten down > the system, to keep the script kiddies and such from > even getting to an authentication stage in the mail check, > for example when they use the news user, root user, etc. > > I want the username to have to be a valid user of the > system, i.e. mail-retrieving user, before it will get > to the authentication stage. This makes sense. There are two primary ways to achieve this: 1. Build popa3d with PAM support (provided that your system uses PAM) and use a PAM module such as pam_listfile. 2. Patch popa3d, such as with "popa3d 0.4 /etc/pop3.{allow,deny} support patch, by Lukasz Luzar" as listed on the popa3d homepage. Yes, this patch is for version 0.4, but it should not be difficult to forward-port to current versions. Please note that blacklisting (a "deny" file/list) might be unreliable in the security sense (it might be fail-open), and the use of a whitelist (an "allow" file/list) is preferred. Also, please note that pure file-based allow/deny implementations might be fail-open even if you do use the "allow" file - that's because security of this approach depends on being able to find the "allow" file in the first place. If the file somehow disappears (or at least the program does not "see" it for whatever reason), everyone is allowed. With pam_listfile, you're able to specify that the file must be present, thereby avoiding this problem, although you still do depend on correctness of pam_listfile implementation. A reasonably good one can be found here: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/pam/pam_listfile.c?rev=HEAD (This is different from the implementation included in Linux-PAM.) The usage syntax (in your /etc/pam.d/popa3d or equivalent) would be like: auth required pam_listfile.so item=user sense=allow onerr=fail file=/etc/popa3d.allow I hope you do not mind the paranoia - I think that you asked for it. ;-) If you use Openwall GNU/*/Linux (or Owl for short), then you'd want to know that it comes with popa3d pre-built with PAM support, and with the above PAM module as a part of the system as well - so all you'd need to do is edit /etc/pam.d/popa3d as shown above. If you're not using Owl yet, then please consider switching to Owl. ;-) Alexander Peslyak <solar at openwall.com> GPG key ID: 5B341F15 fp: B3FB 63F4 D7A3 BCCC 6F6E FC55 A2FC 027C 5B34 1F15 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.