POP mail servers


Summary

POP2 and POP3 servers allow non-Unix users to access their mail on a machine without logging in.

Impact

Unauthorized user access to the system.

Background

POP servers give PC and Macintosh users a way to receive mail through another machine. When connecting to a POP server, the client transmits the user's userid and password in clear text. Once the user has been authenticated, the user then can access their mail.

The problem

Each time the client reconnects to the POP server, the user's userid and password are transmitted. Some client programs check the POP server every few minutes to check for the arrival of new mail. These frequent checks increase the possibility of the machine, username, and password being discovered by a password sniffer "tuned" for POP mail systems.

Fix

The specification for POP3 servers (RFC 1725) describes an optional command to help resolve this clear text password issue. When the initial connection is made to a POP server, the server displays a timestamp in its banner. The client uses this timestamp to create an MD5 hash string that is shared between the server and client. The next time the client connects to the server (eg., to check for new mail) it will issue a command (APOP) and the hash string. This method reduces the number of times that a user's userid and password are transmitted in clear text.

Another optional method (IMAP4), described in RFC 1734, provides another means of authentication. The AUTH command allows the client to specify an authentication mechanism to be used and a protocol exchange. This allows the client to specify authentication methods it knows about and challenge the server to see if knows any of them as well. If no authentication method can be agreed upon, then the APOP command is used (RFC 1725).

Solutions: