From owner-freebsd-security  Thu Oct 30 06:14:44 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id GAA10712
          for security-outgoing; Thu, 30 Oct 1997 06:14:44 -0800 (PST)
          (envelope-from owner-freebsd-security)
Received: from cwsys.cwsent.com (66@cschuber.net.gov.bc.ca [142.31.240.113])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA10705
          for <freebsd-security@freebsd.org>; Thu, 30 Oct 1997 06:14:39 -0800 (PST)
          (envelope-from cy@cwsys.cwsent.com)
Received: (from uucp@localhost) by cwsys.cwsent.com (8.8.8/8.6.10) id GAA06472; Thu, 30 Oct 1997 06:08:13 -0800 (PST)
Message-Id: <199710301408.GAA06472@cwsys.cwsent.com>
Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwsent.com, id smtpd006448; Thu Oct 30 14:07:13 1997
X-Mailer: exmh version 2.0gamma 1/27/96
Reply-to: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
From: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
X-Sender: cy
To: Eugeny Kuzakov <kev@lab321.ru>
cc: Yury Yaroshevsky <yk@info.dgtu.donetsk.ua>,
        Philippe Regnauld <regnauld@deepo.prosa.dk>,
        freebsd-security@freebsd.org, cschuber@uumail.gov.bc.ca
Subject: Re: selective pop3 
In-reply-to: Your message of "Fri, 31 Oct 1997 09:37:16 +0600."
             <Pine.BSF.3.96.SK.971031093604.1058B-100000@lab321.ru> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 30 Oct 1997 06:07:09 -0800
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> On Wed, 29 Oct 1997, Yury Yaroshevsky wrote:
> 
> > > 	Tcp wrappers.  But you can only do IP level decisions, not user-level.
> > 				^^^^^^^^^
> > 				Only IP level???
> > 	If uses ident , you can restrict pop3 access for some account.
> > 	See  man hosts_options
> Pop3 clint machine can have or no pidentd....

Auth (identd) should not be used for user authentication, as anyone with root, 
e.g. any PC, can send you any information he/she pleases.  This is one the 
problems with all of the original Berkeley "r" commands:  Authentification was 
done at the client.  Unless your POP users are connecting from a UNIX host 
that you control, there is no way you can trust identd (or the Berkeley "r" 
commands).

In short identd should only be used in logging.  Even then you should consider 
the information gathered from a remote identd suspect.

> 
> 	Best wishes, Eugeny Kuzakov
> 		Laboratory 321 ( Omsk, Russia )
> 		kev@lab321.ru
> 
> 



Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       Cy.Schubert@gems8.gov.bc.ca

		"Quit spooling around, JES do it."