Tech Journal Back to Tech Journal

QPopper - a secure replacement for the standard POP

A great (and free as in beer) POP3 server, that supports MD5 shadow passwords through PAM (plugabble authentication modules, or something like that) from Qualcomm (the people who brought you Eudora) Available from: http://www.qpopper.org.

Setting up MD5 support:
After extracting the files from the downloaded tarball, run:

./configure --enable-specialauth --with-pam --enable-log-login

The options here are:

--enable-specialauth

allows MD5 and shadow passwords

--with-pam

allows the use of RH Pluggable Authentication Modules (PAM) technology

--enable-log-login

log successful logins, not only failures (not really that useful as it will use tcpd wrappers log anyway)

--enable-shy

conceal version number (yeah, a little pesky manifestation of "security through obscurity")

Now compile and install (make ; cp popper/popper /usr/local/bin ; chmod 700 /usr/local/bin/popper), and add it to /etc/inetd.conf (or replace the old POP3 line with):

pop3  stream tcp        nowait root /usr/sbin/tcpd /usr/local/bin/popper -s

Now, to allow PAM authentication, you need to create a file /etc/pam.d/pop3 (if you called the service "pop3" in /etc/services and in /etc/inetd.conf. Otherwise, change the filename to match the service name). The file should look like this:

auth       required     /lib/security/pam_pwdb.so shadow
account    required     /lib/security/pam_pwdb.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
session    required     /lib/security/pam_pwdb.so

Note: RedHat tends to list the POP3 service as "pop-3". So just by changing the name in /etc/services to be "pop3", everything should work.

shamlessly stolen from Pocket-ISP HOWTO

Back to Tech Journal