Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Dec 2009 11:11:50 +0000
From:      Anton Shterenlikht <mexas@bristol.ac.uk>
To:        Roland Smith <rsmith@xs4all.nl>
Cc:        Anton Shterenlikht <mexas@bristol.ac.uk>, freebsd-questions@freebsd.org
Subject:   Re: fetchmail and plain text password
Message-ID:  <20091229111150.GA15440@mech-cluster241.men.bris.ac.uk>
In-Reply-To: <20091228173515.GA27630@slackbox.xs4all.nl>
References:  <20091228151553.GA7478@mech-cluster241.men.bris.ac.uk> <20091228173515.GA27630@slackbox.xs4all.nl>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 28, 2009 at 06:35:15PM +0100, Roland Smith wrote:
> On Mon, Dec 28, 2009 at 03:15:53PM +0000, Anton Shterenlikht wrote:
> > I use fetchmail
> > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mail-fetchmail.html
> > to download all my mail from the Uni mail
> > server to my fbsd box.
> > 
> > I typically run it in daemon mode, which requires
> > having my mail server password in plain text in .fetchmailrc
> > 
> > I'm a little worried about the security of having
> > my password in plain text on the system.
> 
> chown you:yourgroup ~/.fetchmailrc
> chmod 400 ~/.fetchmailrc
> 
> With these changes, only you and the superuser can read that file. 

yes, an attacker gaining superuser access is my worry.
I'm reading Garfinkel and Spafford (1996) Practical UNIX & internel security
(a bit out of date, I know. I ordered the 3rd edition, 2003),
and I realised there are a lot of potential security issues, of which
I wasn't aware. Things like SUID/SGID files could be an issue,
and lots of other things.

> > Is there a more secure arrangement that would
> > still allow running fetchmail in daemon mode?
> 
> I'd be more worried that your password is sent as plaintext over the network
> using e.g. POP3. You should use the --ssl option if your mailserver allows it.

it looks like it doesn't allow ssl.

> > Or maybe there is another software solution
> > alltogether?
> 
> Presumably you are running a mailserver on your box. You can ask the
> administrator to forward mail to your machine by making an MX record for it.

not sure I understand you here. I run sendmail daemon just for sending mail
out of the box, and delivery of internal mail inside the box. Sendmail
doesn't listen for any incoming connections.
Could you please elaborate, or give a link.

many thanks
anton


-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091229111150.GA15440>