From owner-freebsd-security@FreeBSD.ORG Mon May 2 13:32:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D165D106564A for ; Mon, 2 May 2011 13:32:19 +0000 (UTC) (envelope-from kapil@sh3lls.net) Received: from web1.sh3lls.net (web1.sh3lls.net [72.20.6.46]) by mx1.freebsd.org (Postfix) with ESMTP id B27768FC15 for ; Mon, 2 May 2011 13:32:19 +0000 (UTC) Received: from [122.169.34.13] (helo=[192.168.1.6]) by web1.sh3lls.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1QGsCM-0001lJ-Qg for freebsd-security@freebsd.org; Mon, 02 May 2011 17:56:02 +0530 References: <20110502120037.ED22D10657C4@hub.freebsd.org> From: Kapil Jain Content-Type: text/plain; charset=utf-8 X-Mailer: iPad Mail (8H7) In-Reply-To: <20110502120037.ED22D10657C4@hub.freebsd.org> Message-Id: <6D96B8FE-5820-47A9-ACA5-CF8A1C06FAB7@sh3lls.net> Date: Mon, 2 May 2011 17:56:38 +0530 To: "freebsd-security@freebsd.org" Content-Transfer-Encoding: quoted-printable Mime-Version: 1.0 (iPad Mail 8H7) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - web1.sh3lls.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - sh3lls.net X-Source: X-Source-Args: X-Source-Dir: Subject: Re: freebsd-security Digest, Vol 371, Issue 1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 May 2011 13:32:19 -0000 Try to change port for pop3 use some weired port, and specify that port in y= our gmail account for fetching, it's not full proof but it might work for yo= u Kapil Jain Sent from my iPad On 02-May-2011, at 5:30 PM, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org >=20 > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org >=20 > You can reach the person managing the list at > freebsd-security-owner@freebsd.org >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." >=20 >=20 > Today's Topics: >=20 > 1. limiting pop access to gmail servers ? (George Sanders) > 2. Re: limiting pop access to gmail servers ? (Patrick Proniewski) > 3. Re: limiting pop access to gmail servers ? (Gleb Kurtsou) > 4. Re: limiting pop access to gmail servers ? (cronfy) > 5. Re: limiting pop access to gmail servers ? > (freebsd-lists@albury.net.au) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Sun, 1 May 2011 15:55:25 -0700 (PDT) > From: George Sanders > Subject: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org > Message-ID: <349555.87646.qm@web120019.mail.ne1.yahoo.com> > Content-Type: text/plain; charset=3Dus-ascii >=20 >=20 >=20 > We run our own (freebsd) mail server. It's a pretty classic, old fashione= d=20 > /var/mail/username setup. >=20 > We have enabled POP so that certain people can pop their mail from us, and= use=20 > gmail as their mail client. >=20 > However, we have no other POP users ... and I don't want POP open to the w= hole=20 > world ... >=20 > BUT, I suspect there are a LOT of possible IPs that google will use to pop= mail=20 > from us ... >=20 > Is there an authoritative list ? >=20 > Anyone else blocking POP access to everyone BUT google ? >=20 >=20 > ------------------------------ >=20 > Message: 2 > Date: Mon, 2 May 2011 08:18:30 +0200 > From: Patrick Proniewski > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> > Content-Type: text/plain; charset=3D"us-ascii" >=20 > Hello, >=20 > On 02 mai 2011, at 00:55, George Sanders wrote: >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail=20 >> from us ... >=20 > You are right about that. According to my pop logs, my servers have encoun= ter about 1000 different IPs from google (920 actually).=20 > Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.= com > By the way, I'm in europe, I'm not sure USA, Australia or Japan would see t= he same gmail POP clients. >=20 >> Is there an authoritative list ? >=20 > I don't know. >=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > I don't. >=20 > patpro >=20 > ------------------------------ >=20 > Message: 3 > Date: Mon, 2 May 2011 12:42:04 +0600 > From: Gleb Kurtsou > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: > Content-Type: text/plain; charset=3DUTF-8 >=20 > On Mon, May 2, 2011 at 4:55 AM, George Sanders wrot= e: >>=20 >>=20 >> We run our own (freebsd) mail server. It's a pretty classic, old fashion= ed >> /var/mail/username setup. >>=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >>=20 >> Is there an authoritative list ? >>=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > Didn't try it myself, just a wild guess. Hopefully google pop clients > use real ssl certificates signed by google to authenticate. Mutual ssl > authentication is hardly ever used, but still. >=20 > Setup pop over ssl and check for google certificates instead. >=20 > Gleb. >=20 >=20 > ------------------------------ >=20 > Message: 4 > Date: Mon, 2 May 2011 10:41:59 +0400 > From: cronfy > Subject: Re: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org, gosand1982@yahoo.com > Message-ID: > Content-Type: text/plain; charset=3DUTF-8 >=20 > Hi, >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p >> mail >>> from us ... >>=20 >> You are right about that. According to my pop logs, my servers have >> encounter about 1000 different IPs from google (920 actually). >> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*. >> google.com >> By the way, I'm in europe, I'm not sure USA, Australia or Japan would see= >> the same gmail POP clients. >>=20 >=20 >=20 > You can make active checks for incoming connections. If reverse DNS record= > is valid (ip -> resolves to name -> resolves to same ip) and it matches '.= * > google.com$' regexp, then it is Google. >=20 >=20 > --=20 > =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 >=20 >=20 > ------------------------------ >=20 > Message: 5 > Date: Mon, 2 May 2011 17:23:07 +1000 (EST) > From: freebsd-lists@albury.net.au > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders > Cc: freebsd-security@freebsd.org > Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au> > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII; format=3Dflowed >=20 >=20 >=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >=20 >=20 > While not a "strong" solution, out-of-the box, I'd suggest in=20 > /etc/hosts.allow (probably after the "paranoid" line to make inetd check=20= > fwd/reverse match) >=20 > ALL : PARANOID : RFC931 20 : deny >=20 > assuming you use qpopper (change as required) >=20 > qpopper : .google.com : allow > qpopper : x.x.x.0/255.255.255.0 : allow (your directly-connected use= rs) > qpopper : all : deny >=20 >=20 > RossW >=20 >=20 > ------------------------------ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " >=20 > End of freebsd-security Digest, Vol 371, Issue 1 > ************************************************