Author: Ian Eiloart Date: To: Jeremy Harris CC: <exim-users@exim.org> Subject: Re: [exim] POP3 authentication
On 13 Jun 2012, at 11:42, Jeremy Harris wrote: > On 12/06/2012 18:56, Pablo Baldovi wrote:
>> It happens that the configuration that authenticates the user with a good connection on POP3, when done in an organization, malicious anyonecan after a successful connection, change the configuration of your mail client and send mail as another person correct.
>
> POP3 is for getting mail. Not sending mail.
I think Pablo is concerned with the security of "POP before SMTP" authorization systems. These authorise email from a (username:IP address) pair, for a short period after an authenticated POP3 access from that IP address.
There are several reasons why this type of authorisation is not secure.
Exim does support use of the "whoson" protocol, using the "whoson" lookup, to determine the identity of a user, given an IP address. It isn't used in the default configuration, but it is there. The problem, I presume, with the protocol is that anyone behind a NAT router will be able to send email as if they were anyone else on that network who has a recent POP/IMAP logon.
Exim's whoson support seems also to ignore the identity of the logged on person. It seems like the documented example (section 9.4 of the v4.77 docs) only checks that there is a logged on person. So, if there's anyone logged on, then they or anyone else sharing the IP address can send mail as any user on the Exim system.
I guess it would be nice if the documentation for the whoson protocol:
a) strongly recommended SMTP Auth, for example by saying "but that approach has been superseded by SMTP authentication, WHICH IS FAR MORE ACCURATE AT IDENTIFYING AUTHORISED USERS". (my addition in caps).
b) gave an example where the user identity was used.
Also, perhaps we could agree that support for whoson be deprecated now, and dropped in a later version. Perhaps, as an intermediate step it could be a compile time option, off by default.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148