APOP Setup
APOP uses a challenge−response system. When a user connects to the POP3 server, the server takes the user's known password and computes a challenge based upon it. This challenge is sent to the client. The client takes the challenge, combines it with the password, computes a response, and sends it back to the server. The server, meanwhile, has performed the same calculation and it compares the client's response to its own result. If they match, the client has proven that it has the password. Mail download is permitted.
Why go to all this trouble? Well, the password itself has never passed over the network. This eliminates any chance for password theft via qpopper requests. Web browsing, telnet, and so on, all give other opportunities for password theft.
APOP Password Database
Since APOP computes a shared secret based on the user's password, qpopper must have access to the user's password. In UNIX, password encryption is a one−way trip; even given the /etc/master.passwd file, you cannot extract the password.[3]. APOP therefore requires a separate u s e r n a m e a n d p a s s w o r d d a t a b a s e . T h i s A P O P u s e r d a t a b a s e i s k e p t i n /usr/local/etc/qpopper/pop.auth.db, and it should only be readable by root.
You administer the APOP user database with qpopauth(8). Before you can do anything, you must initialize the database:
...............................................................................................
# qpopauth −init
...............................................................................................
Once you have a database, you can use qpopauth to manage users.
Adding Users
This command adds a user to the database:
...............................................................................................
# qpopauth −user username
...............................................................................................
You'll be prompted for a password. If the user does not exist on the main system, qpopauth will not let you add the user.
Deleting Users
The following command deletes the specified user from the database:
...............................................................................................
# qpopauth −delete username
...............................................................................................
332
Listing Users
If a user runs the following command, it tells him whether he is in the APOP user database. If root runs this as qpopauth −list ALL, it lists every APOP user:
...............................................................................................
# qpopauth −list
...............................................................................................
Enabling APOP
When you set up APOP, you need to decide whether plain−text POP3 will still be permitted. If you want to allow people to use either plain POP3 or APOP, you need to change the clear−text−password option. (The default lets people use plain−text passwords only if they are not set up as APOP users.)
Use the set clear−text−password option in your qpopper configuration file to require the use of APOP.
...............................................................................................
set clear−text−password = always
...............................................................................................
Supporting APOP
Allowing both APOP and plain POP3 can cause password confusion because the APOP user database and /etc/master.passwd are not synchronized by anything except administrator intervention. When a user calls and says that she can't get her mail, you'll have to find out if she's using APOP or POP3. The user probably won't know, so you'll have to walk her through her mail client to find out, or just change both passwords to a known value. APOP is a better idea all around.
A better idea still is pop3ssl.
Configuring Pop3ssl
The POP3−over−SSL process is similar to the default POP3 protocol. Instead of sending a username, however, the client sends a request for SSL. If your server can grant it, the remaining steps of the process are all encrypted.
All of the performance options are set as if you're running standard POP3. You need to set several configuration options to use pop3ssl, however, as follows.
...............................................................................................
set clear−text−password = tls
...............................................................................................
With this clear−text−password option, you can use clear−text passwords if you're using SSL encryption. A user could use APOP or pop3ssl, but not vanilla POP3.
...............................................................................................
333
set tls−cipher−list = bf,des,des3
...............................................................................................
These tls−cipher−list settings are the cryptographic ciphers that your system will support. You can get a complete list of ciphers your system supports by running openssl list−cipher−commands. The preceding example supports most email clients.
...............................................................................................
set tls−server−cert−file = /usr/local/etc/qpopper/server.cert
...............................................................................................
This tls−server−cert−file setting specifies the location of your signed certificate file. We created a signed server certificate in the previous chapter.
After setting these options, you should be all set to provide pop3ssl services. This is by far the most preferable method, and easy enough to do.
Qpopper Security
Qpopper has a questionable security record, but it has undergone an extensive code audit and is now as secure as any POP3 server daemon. You still need to keep up on security advisories, however, just as you would for any program that transmits user data across the network. Since qpopper runs out of inetd, you can use TCP Wrappers to help secure it.
[3]You can do something called a "brute force attack," where you try to find a text string that has a cryptographic collision with the password. This takes a lot of CPU time, and a lot of time, and is utterly inappropriate for a server protocol.
334