From owner-freebsd-security@FreeBSD.ORG  Mon May  2 07:51:04 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 5C1871065670
	for <freebsd-security@freebsd.org>;
	Mon,  2 May 2011 07:51:04 +0000 (UTC)
	(envelope-from freebsd-lists@albury.net.au)
Received: from mail.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15])
	by mx1.freebsd.org (Postfix) with ESMTP id D72C08FC0A
	for <freebsd-security@freebsd.org>;
	Mon,  2 May 2011 07:51:03 +0000 (UTC)
Received: from ali-syd-1.albury.net.au (ali-syd-1.albury.net.au [202.3.36.15])
	by mail.albury.net.au (8.13.6/8.13.6) with ESMTP id p427N7Rp090306; 
	Mon, 2 May 2011 17:23:07 +1000 (EST)
	(envelope-from freebsd-lists@albury.net.au)
Date: Mon, 2 May 2011 17:23:07 +1000 (EST)
From: freebsd-lists@albury.net.au
X-X-Sender: rossw@ali-syd-1.albury.net.au
To: George Sanders <gosand1982@yahoo.com>
In-Reply-To: <349555.87646.qm@web120019.mail.ne1.yahoo.com>
Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au>
References: <349555.87646.qm@web120019.mail.ne1.yahoo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(mail.albury.net.au [202.3.36.15]);
	Mon, 02 May 2011 17:23:07 +1000 (EST)
Cc: freebsd-security@freebsd.org
Subject: Re: limiting pop access to gmail servers ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2011 07:51:04 -0000



> We have enabled POP so that certain people can pop their mail from us, and use
> gmail as their mail client.
>
> However, we have no other POP users ... and I don't want POP open to the whole
> world ...
>
> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail
> from us ...


While not a "strong" solution, out-of-the box, I'd suggest in 
/etc/hosts.allow (probably after the "paranoid" line to make inetd check 
fwd/reverse match)

ALL : PARANOID : RFC931 20 : deny

assuming you use qpopper (change as required)

qpopper : .google.com : allow
qpopper : x.x.x.0/255.255.255.0 : allow       (your directly-connected users)
qpopper : all : deny


RossW