Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20080808205935.GA29303@openwall.com>
Date: Sat, 9 Aug 2008 00:59:35 +0400
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com
Subject: Re: denying certain system users from checking for mail

On Fri, Aug 08, 2008 at 02:38:39PM -0500, TLD Popa3d wrote:
> Is there a way with popa3d to do like a deny.users list or
> something?  I'm just looking for a way to tighten down
> the system, to keep the script kiddies and such from
> even getting to an authentication stage in the mail check,
> for example when they use the news user, root user, etc.
> 
> I want the username to have to be a valid user of the
> system, i.e. mail-retrieving user, before it will get
> to the authentication stage.

This makes sense.  There are two primary ways to achieve this:

1. Build popa3d with PAM support (provided that your system uses PAM)
and use a PAM module such as pam_listfile.

2. Patch popa3d, such as with "popa3d 0.4 /etc/pop3.{allow,deny} support
patch, by Lukasz Luzar" as listed on the popa3d homepage.  Yes, this
patch is for version 0.4, but it should not be difficult to forward-port
to current versions.

Please note that blacklisting (a "deny" file/list) might be unreliable
in the security sense (it might be fail-open), and the use of a
whitelist (an "allow" file/list) is preferred.  Also, please note that
pure file-based allow/deny implementations might be fail-open even if
you do use the "allow" file - that's because security of this approach
depends on being able to find the "allow" file in the first place.  If
the file somehow disappears (or at least the program does not "see" it
for whatever reason), everyone is allowed.  With pam_listfile, you're
able to specify that the file must be present, thereby avoiding this
problem, although you still do depend on correctness of pam_listfile
implementation.  A reasonably good one can be found here:

	http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/pam/pam_listfile.c?rev=HEAD

(This is different from the implementation included in Linux-PAM.)

The usage syntax (in your /etc/pam.d/popa3d or equivalent) would be like:

auth	required	pam_listfile.so item=user sense=allow onerr=fail file=/etc/popa3d.allow

I hope you do not mind the paranoia - I think that you asked for it. ;-)

If you use Openwall GNU/*/Linux (or Owl for short), then you'd want to
know that it comes with popa3d pre-built with PAM support, and with the
above PAM module as a part of the system as well - so all you'd need to
do is edit /etc/pam.d/popa3d as shown above.  If you're not using Owl
yet, then please consider switching to Owl. ;-)

Alexander Peslyak <solar at openwall.com>
GPG key ID: 5B341F15  fp: B3FB 63F4 D7A3 BCCC 6F6E  FC55 A2FC 027C 5B34 1F15
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.