Opening POP3 port on the firewall

[agentflicker]

Hello all,

I want to open the POP3 (110) port on our firewall to allow users to download their email.

Are there any security implications I should be concerned about if I do this?

Thanks Simon

 

[mbr]

Well, i think there are indeed some security implications when opening the POP3-port on a firewall

Firewalls are especially usefull in restricting and controling access from Dark Internet to the LAN, so you would not want everybody from outside
to sniff your users passwords and data that via POP3 will be send in cleartext over the net.

When security is desired, you need the ability to restrict the access and protect the data transferred, which may be achieved by implementing a Virtual Private Network (VPN).

So you should go to the next IT-bookstore and have a look at that topic, or you might even call a Security-Consultant, because it's not that easy to set up..

ciao, mbr

 

[PCTHUG]

When ever you open a hole in your firewall you arise security issue, the only recommendation I can offer you is changing your ports around this will stop much of your basic hacker by confusing them. Also for a long term answer the VPN would definitely be the best way to go.

cheers,

Paul Romanek
Unix Admin.
promanek@lakeshorelearning.com

 

[chiph]

Hmmm. Is there a web-based email reader available for Linux? You could run it under SSL which will solve the cleartext password problem.

Chip H.

 

[johnhoke]

There are a number of Webmail readers for linux, look over at

http://www.freshmeat.net

and search for Webmail

You could also run secure-POPd and/or SecureIMAP so they are using SSL/TLS to secure the passwords...

this doesnt talk about the problem of opening ports on the firewall... are you opening incomming 110 or outgoing 110?

-John

 

[GoldenEternity]

The major security problems are 1) how secure the server is, and 2) how well you configure your firewall.

The first is relatively simple to check... go hunt through your favorite vulnerability database (mine is

http://www.securityfocus.com)

for any references to the pop server. Its already been pointed out that vanilla pop3 transmits passwords in the clear, so sniffing is an issue. Another problem is that pop3 may allow an attacker to attempt to brute force passwords by using your pop3 server. Check to see if bad passwords get logged by your pop server.

The second isn't so simple... Its easy to make a mistake in altering your firewall rules and accidentally allow in traffic that you didn't intend; even if you think you know what you're doing.

Otherwise, you should be good.

 

[agentflicker]

I'm using checkpoint secure remote / VPN1 to encrypt and secure the communication between users and the firewall. This should take care of most of the security issues I hope.

Simon.

 

[aduplicate]

Just a note, experianced hackers use SSL (port 443), rather than the normal ports. This is due to the fact that its harder to get the 'hack' traced back to them. I strongly suggest VPN, I use checkpoint and its been fine for me so far. I am also looking at allowing our users to access mail and other information from outside our LAN, the only safest way is a VPN. Even if we put info in our DMZ its not safe :/