Tutorial - POP Mail Servers

POP Mail Servers

Summary

POP2 and POP3 servers allow non-UNIX users to access their mail on a machine without logging in.

Impact

Unauthorized users and/or malicious users exploiting this vulnerability may be able to gain access to the target system.

Background

POP servers give PC and Macintosh users a way to receive mail through another machine. When connecting to a POP server, the client transmits the user's userid and password in clear text. Once the user has been authenticated, the user then can access their mail.

The Problem

Each time the client reconnects to the POP server, the user's userid and password are transmitted. Some client programs check the POP server every few minutes to check for the arrival of new mail. These frequent checks increase the possibility of the machine, username, and password being discovered by a password sniffer "tuned" for POP mail systems.

Resolution

The specification for POP3 servers (RFC 1725) describes an optional command to help resolve this clear text password issue. When the initial connection is made to a POP server, the server displays a timestamp in its banner. The client uses this timestamp to create an MD5 hash string that is shared between the server and client. The next time the client connects to the server (e.g., to check for new mail) it will issue a command (APOP) and the hash string. This method reduces the number of times that a user's userid and password are transmitted in clear text.

An optional method (IMAP4), described in RFC 1734, provides another means of authentication. The AUTH command allows the client to specify an authentication mechanism to be used and a protocol exchange. This allows the client to specify authentication methods it knows about and challenge the server to see if it knows any of them as well. If no authentication method can be agreed upon, then the APOP command is used (RFC 1725).

Also, you may install the latest Secure POP3 mail server (with APOP/IMAP4) or disable POP mail if necessary.

Where can I read more about this?

Read CERT Advisory 97.09 for more information on vulnerabilities found in IMAP and POP. Also, visit Eudora's Internet Messaging Primer for an overview on POP and IMAP.