[spambayes-bugs] [ spambayes-Feature Requests-698036 ] pop3proxy security

SourceForge.net noreply at sourceforge.net
Tue Aug 19 02:54:45 EDT 2003


Feature Requests item #698036, was opened at 2003-03-06 04:41
Message generated for change (Settings changed) made by anadelonbrin
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498106&aid=698036&group_id=61702

Category: pop3proxy
Group: None
>Status: Closed
Priority: 5
Submitted By: Tim Stone (timstone4)
Assigned to: Tim Stone (timstone4)
Summary: pop3proxy security

Initial Comment:
Currently, there is no security on the pop3proxy, so anyone can 
access the user interface from any computer, given a web browser 
and knowledge of the ip address and port.  Even if you didn't know the 
port, figuring it out wouldn't necessarily be difficult.  This allows 
several operations that could be security problems, including 
reading at least the first couple hundred characters of each mail 
body.

It would seem that the correct solution is to 
implement a challenge/authentication on the pop3proxy http 
server.

----------------------------------------------------------------------

>Comment By: Tony Meyer (anadelonbrin)
Date: 2003-08-19 20:54

Message:
Logged In: YES 
user_id=552329

[ 790615 ] Allowed remote connections management
https://sourceforge.net/tracker/index.php?
func=detail&aid=790615&group_id=61702&atid=498105

Has a fix for this, and I've checked this in.

I don't think there is a need for a more complicated 
challenge/authentication system, but if anyone wants to 
submit one, go ahead!

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-18 14:58

Message:
Logged In: YES 
user_id=6845

Okay, I'll try to achieve this within the next few days.

----------------------------------------------------------------------

Comment By: Tony Meyer (anadelonbrin)
Date: 2003-08-18 14:56

Message:
Logged In: YES 
user_id=552329

Sounds fine to me.  If you write a patch, I'll check it in.

----------------------------------------------------------------------

Comment By: Romain Guy (gfx)
Date: 2003-08-18 14:52

Message:
Logged In: YES 
user_id=6845

What about middle-term solution ? A simple, handy solution
is similar to what many routers offer : just allow user to :

- set a list of trusted remote IPs
- set access to any remote IP
- reject any remote access

This is not hard to implement and should satisfy everybody.

----------------------------------------------------------------------

Comment By: Tim Stone (timstone4)
Date: 2003-03-06 06:40

Message:
Logged In: YES 
user_id=645698

Ya, the problem here is that I might want to allow remote connections, but 
I certainly don't want just anybody to be able to connect.  Skip's 
suggestion doesn't help here.

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-03-06 06:35

Message:
Logged In: YES 
user_id=85414

[Tim Stone]
> Currently, there is no security on the pop3proxy

Not true - you can use the html_ui_allow_remote_connections
setting to reject connections from anywhere other than the local
machine.  This is a bit draconian - as you say, we should have
a better solution - but it's not as bad as you make out.


----------------------------------------------------------------------

Comment By: Skip Montanaro (montanaro)
Date: 2003-03-06 05:48

Message:
Logged In: YES 
user_id=44345

I don't think this is a problem.  Just tell the webserver to listen on "localhost"
or "127.0.0.1", or maybe even "".  Connections from remote hosts won't be accepted.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498106&aid=698036&group_id=61702



More information about the Spambayes-bugs mailing list