Red Hat Linux 7 Unleashed

By William Ball

• Table of Contents
  • Copyright
  • About the Lead Authors
  • About the Contributing Authors
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • I. Red Hat Linux Installation and User Services
  • Chapter 1. Introduction to Red Hat Linux
  • Chapter 2. Installation of Your Red Hat System
  • Chapter 3. LILO and Other Boot Managers
  • Chapter 4. Configuring the X Window System, Version 11
  • Chapter 5. Window Managers
  • Chapter 6. Connecting to the Internet
  • Chapter 7. IRC, ICQ, and Chat Clients
  • Chapter 8. Using Multimedia and Graphics Clients
  • II. Configuring Services
  • Chapter 9. System Startup and Shutdown
  • Chapter 10. SMTP and Protocols
    • A Brief History of Internet Email Standards
    • SMTP and sendmail
    • POP
    • IMAP
    • Mail Retrieval
    • Summary
  • Chapter 11. FTP
  • Chapter 12. Apache Server
  • Chapter 13. Internet News
  • Chapter 14. Domain Name Service and Dynamic Host Configuration Protocol
  • Chapter 15. NIS: Network Information Service
  • Chapter 16. NFS: Network Filesystem
  • Chapter 17. Samba
  • III. System Administration and Management
  • Chapter 18. Linux Filesystems, Disks, and Other Devices
  • Chapter 19. Printing with Linux
  • Chapter 20. TCP/IP Network Management
  • Chapter 21. Linux System Administration
  • Chapter 22. Backup and Restore
  • Chapter 23. System Security
  • IV. Red Hat Development and Productivity
  • Chapter 24. Linux C/C++ Programming Tools
  • Chapter 25. Shell Scripting
  • Chapter 26. Automating Tasks
  • Chapter 27. Configuring and Building Kernels
  • Chapter 28. Emulators, Tools, and Window Clients
  • V. Appendixes
  • A. The Linux Documentation Project
  • B. Top Linux Commands and Utilities
  • C. The GNU General Public License
  • D. Red Hat Linux RPM Package Listings

POP

As much as you might love Linux, the reality is that you must contend with other operating systems out there. Even worse, many of them aren't even UNIX-based. Although the Linux community has forgiven the users of other operating systems, there is still a long way to go before complete assimilation happens. In the meantime, the best thing to do is to use tools to tie the two worlds together.

The following sections cover the integration of the most-used application of any network: electronic mail. Because UNIX and other operating systems have very different views of how email should be handled, the Post Office Protocol (POP) was created. This protocol abstracts the details of email to a system-independent level so anyone who writes a POP client can communicate with a POP server.

Configuring a POP Server

The POP server you will configure on the sample system is packaged as part of the freely available IMAP package. (Setting up IMAP is discussed in the next section.) This package was developed at the University of Washington (ftp://ftp.cac.washington.edu/imap). If you want, you can use the Eudora Light email package available from Qualcomm (ftp://ftp.qualcomm.com/eudora/eudoralight/). Like the UW POP package, Eudora Light is available for free. (The Professional version does cost money, however.) Later on in the chapter, I'll show you how to configure your Netscape browser for both POP and IMAP email retrieval.

Red Hat has prepared an RPM of the UW IMAP package. It's available on the CD-ROMs (imap-4.7c2-12.i386.rpm), or you can fetch it from Red Hat's FTP site at ftp://ftp.redhat.com. To install it from the CD-ROMs, simply run

   rpm -i imap-4.7c2-12.i386.rpm

The rpm command then installs three programs (found in /usr/sbin/), imapd, ipop2d, and ipop3d, as well as the manual pages. You will not need to worry about using ipop2d because it implements the earlier POP2 specification. Almost every POP client available these days knows how to talk POP3.

Configuring ipop3d

Most of the ipop3d options are configured at compile time. Therefore, you don't have much of a say in how things are done unless you want to compile the package yourself. If you are interested in pursuing that route, you can fetch the complete package (which is version 4.7 at the time of this writing) from UW's FTP site at ftp://ftp.cac.washington.edu/imap/imap-4.7.tar.z. However, it is highly recommended that you stick with the source RPM that is distributed on your Red Hat CD-ROMs because it contains all the patches and other modifications that Red Hat applied to the original codebase.

Using ipop3d gives you the following capabilities:

• Refusal to retrieve mail for anyone whose UID is root.
• Verbose logging to syslog.
• Support for CRAM-MD5 and APOP for user authentication. For these to be enabled, the file /etc/cram-md5.pwd must exist (see the section on setting up APOP support for details).

To allow ipop3d to start from xinetd, edit the /etc/xinetd/ipop3 file and make sure it contains the following:

service pop3
{
        disable          = no
        socket_type      = stream
        wait             = no
        user             = root
        server           = /usr/sbin/ipop3d
        log_on_success   += USERID
        log_on_failure   += USERID
}

Don't forget to send the HUP signal to xinetd. You can do so by issuing the following command:

   # /etc/init.d/xinet reload

Now you're ready to test the connection. At a command prompt, enter

   $ telnet popserver pop-3

popserver is the name of the machine running the ipop3d program. The pop-3 at the end is what Telnet will reference in your /etc/services file for port 110. You should get a response similar to the following:

+OK POP3 popserver.gonzo.gov v6.50 server ready

This result means that the POP server has responded and is awaiting an instruction. (Typically, this job is transparently done by the client mail reader.) If you want to test the authentication service, try to log in as yourself and see whether the service registers your current email box. For example, to log in as sshah with the password mars1031, enter

   user sshah
+OK User name accepted, password please
pass mars1031
+OK Mailbox open, 90 messages
quit
+OK Sayonara

The first line, user sshah, tells the POP server that the user for whom it will be checking mail is sshah. The response from the server is an acknowledgment that the username sshah is accepted, and that a password is required to access the mailbox. You can then type pass mars1031, where mars1031 is the password for the sshah user. The server acknowledges the correct password and username pair with a statement indicating that 90 messages are currently in user sshah's mail queue. Because you don't want to actually read the mail this way, enter quit to terminate the session. The server sends a sign-off message and drops the connection.

How APOP Works

By default, the POP server sends all passwords in cleartext (not encrypted). If you're security-conscious, using cleartext passwords over your network is obviously a bad idea and tighter control is needed on authentication. This is where APOP support comes in. APOP is a more security-minded way of authenticating users because the passwords are already encrypted before they're sent over the network.

It works like this: The server issues a challenge to a connecting client. The client appends the user's password to the challenge, then encrypts it using MD5—this is called a hash—and sends the hash back to the server. The server then compares the client's response with its own calculated value of the checksum (challenge + user password). If there is a match, the client is then authenticated and logged on to the POP3 server.

As you can see, the advantage of this method is that rather than the plaintext password being transmitted in the clear, all that is transferred is a hash of text that means absolutely nothing to a cracker sniffing the network. If implemented correctly, the probability of the same challenge being issued twice by the server is very small! This stops cold the possibility of a replay attack, whereby the attacker grabs an MD5 hash that has come across the wire and tries to use it to log in to someone else's POP3 account.

Setting Up APOP Authentication

Luckily, ipop3d supports APOP. The APOP username and password information is in the /etc/cram-md5.pwd file. Because this database is kept in a cleartext format, you need to make absolutely sure that it has the permissions 0400 (chmod 0400 /etc/cram-md5.pwd).

When you installed ipop3d, the /etc/cram-md5.pwd database was not created. You will need to create the file with your favorite editor and put some entries in, similar to

# CRAM-MD5 authentication database
# Entries are in form <user><tab><password>
# Lines starting with "#" are comments

fred    rubble
wilma   flintstone
barny   beret
betty   wired

Obviously, putting any plaintext passwords in any file is bad practice—this is one of the downfalls of the ipop3d software. Hopefully, at some point in the future encryption will be added to the APOP database. But in the meantime, you must continue to make sure that the file has the correct permissions. Additionally, it is not recommended that your users use the same password for APOP email access that they use to log in to the server (the password that is specified in /etc/passwd).

Share This