SpamBayes anti-spam / Feature Requests / #12 pop3proxy security

#12 pop3proxy security

Status: closed

Owner: Tim Stone

Labels: pop3proxy (17)

Priority: 5

Updated: 2003-08-19

Created: 2003-03-05

Creator: Tim Stone

Private: No

Currently, there is no security on the pop3proxy, so anyone can
access the user interface from any computer, given a web browser
and knowledge of the ip address and port. Even if you didn't know the
port, figuring it out wouldn't necessarily be difficult. This allows
several operations that could be security problems, including
reading at least the first couple hundred characters of each mail
body.

It would seem that the correct solution is to
implement a challenge/authentication on the pop3proxy http
server.

Discussion

Skip Montanaro - 2003-03-05

Logged In: YES
user_id=44345

I don't think this is a problem. Just tell the webserver to listen on "localhost"
or "127.0.0.1", or maybe even "". Connections from remote hosts won't be accepted.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Richie Hindle - 2003-03-05

Logged In: YES
user_id=85414

[Tim Stone]
> Currently, there is no security on the pop3proxy

Not true - you can use the html_ui_allow_remote_connections
setting to reject connections from anywhere other than the local
machine. This is a bit draconian - as you say, we should have
a better solution - but it's not as bad as you make out.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tim Stone - 2003-03-05

Logged In: YES
user_id=645698

Ya, the problem here is that I might want to allow remote connections, but
I certainly don't want just anybody to be able to connect. Skip's
suggestion doesn't help here.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Romain Guy - 2003-08-18

Logged In: YES
user_id=6845

What about middle-term solution ? A simple, handy solution
is similar to what many routers offer : just allow user to :

- set a list of trusted remote IPs
- set access to any remote IP
- reject any remote access

This is not hard to implement and should satisfy everybody.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tony Meyer - 2003-08-18

Logged In: YES
user_id=552329

Sounds fine to me. If you write a patch, I'll check it in.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Romain Guy - 2003-08-18

Logged In: YES
user_id=6845

Okay, I'll try to achieve this within the next few days.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tony Meyer - 2003-08-19

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Tony Meyer - 2003-08-19

Logged In: YES
user_id=552329

[ 790615 ] Allowed remote connections management
https://sourceforge.net/tracker/index.php?
func=detail&aid=790615&group_id=61702&atid=498105

Has a fix for this, and I've checked this in.

I don't think there is a need for a more complicated
challenge/authentication system, but if anyone wants to
submit one, go ahead!

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.