[Spambayes] [ spambayes-Feature Requests-698036 ] pop3proxy security

SourceForge.net noreply at sourceforge.net
Wed Mar 5 09:40:02 EST 2003


Feature Requests item #698036, was opened at 2003-03-05 09:41
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498106&aid=698036&group_id=61702

Category: pop3proxy
Group: None
Status: Open
Priority: 5
Submitted By: Tim Stone (timstone4)
Assigned to: Tim Stone (timstone4)
Summary: pop3proxy security

Initial Comment:
Currently, there is no security on the pop3proxy, so anyone can 
access the user interface from any computer, given a web browser 
and knowledge of the ip address and port.  Even if you didn't know the 
port, figuring it out wouldn't necessarily be difficult.  This allows 
several operations that could be security problems, including 
reading at least the first couple hundred characters of each mail 
body.

It would seem that the correct solution is to 
implement a challenge/authentication on the pop3proxy http 
server.

----------------------------------------------------------------------

>Comment By: Tim Stone (timstone4)
Date: 2003-03-05 11:40

Message:
Logged In: YES 
user_id=645698

Ya, the problem here is that I might want to allow remote connections, but 
I certainly don't want just anybody to be able to connect.  Skip's 
suggestion doesn't help here.

----------------------------------------------------------------------

Comment By: Richie Hindle (richiehindle)
Date: 2003-03-05 11:35

Message:
Logged In: YES 
user_id=85414

[Tim Stone]
> Currently, there is no security on the pop3proxy

Not true - you can use the html_ui_allow_remote_connections
setting to reject connections from anywhere other than the local
machine.  This is a bit draconian - as you say, we should have
a better solution - but it's not as bad as you make out.


----------------------------------------------------------------------

Comment By: Skip Montanaro (montanaro)
Date: 2003-03-05 10:48

Message:
Logged In: YES 
user_id=44345

I don't think this is a problem.  Just tell the webserver to listen on "localhost"
or "127.0.0.1", or maybe even "".  Connections from remote hosts won't be accepted.

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=498106&aid=698036&group_id=61702



More information about the Spambayes mailing list