Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opening POP3 port on the firewall

Status
Not open for further replies.

agentflicker

IS-IT--Management
May 8, 2001
38
FR
Hello all,

I want to open the POP3 (110) port on our firewall to allow users to download their email.

Are there any security implications I should be concerned about if I do this?

Thanks Simon
 
Well, i think there are indeed some security implications when opening the POP3-port on a firewall ;)

Firewalls are especially usefull in restricting and controling access from Dark Internet to the LAN, so you would not want everybody from outside
to sniff your users passwords and data that via POP3 will be send in cleartext over the net.

When security is desired, you need the ability to restrict the access and protect the data transferred, which may be achieved by implementing a Virtual Private Network (VPN).

So you should go to the next IT-bookstore and have a look at that topic, or you might even call a Security-Consultant, because it's not that easy to set up.. ;)

ciao, mbr
 
When ever you open a hole in your firewall you arise security issue, the only recommendation I can offer you is changing your ports around this will stop much of your basic hacker by confusing them. Also for a long term answer the VPN would definitely be the best way to go.

cheers,

Paul Romanek
Unix Admin.
promanek@lakeshorelearning.com
 
Hmmm. Is there a web-based email reader available for Linux? You could run it under SSL which will solve the cleartext password problem.

Chip H.
 
There are a number of Webmail readers for linux, look over at and search for Webmail :)

You could also run secure-POPd and/or SecureIMAP so they are using SSL/TLS to secure the passwords...

this doesnt talk about the problem of opening ports on the firewall... are you opening incomming 110 or outgoing 110?

-John
 
The major security problems are 1) how secure the server is, and 2) how well you configure your firewall.

The first is relatively simple to check... go hunt through your favorite vulnerability database (mine is for any references to the pop server. Its already been pointed out that vanilla pop3 transmits passwords in the clear, so sniffing is an issue. Another problem is that pop3 may allow an attacker to attempt to brute force passwords by using your pop3 server. Check to see if bad passwords get logged by your pop server.

The second isn't so simple... Its easy to make a mistake in altering your firewall rules and accidentally allow in traffic that you didn't intend; even if you think you know what you're doing.

Otherwise, you should be good.
 
I'm using checkpoint secure remote / VPN1 to encrypt and secure the communication between users and the firewall. This should take care of most of the security issues I hope.

Simon.
 
Just a note, experianced hackers use SSL (port 443), rather than the normal ports. This is due to the fact that its harder to get the 'hack' traced back to them. I strongly suggest VPN, I use checkpoint and its been fine for me so far. I am also looking at allowing our users to access mail and other information from outside our LAN, the only safest way is a VPN. Even if we put info in our DMZ its not safe :/
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top