[NTLUG:Discuss] Secure POP
Tom Adelstein
adelste at netscape.net
Thu Jul 31 12:43:01 CDT 2003
richard at multicam.com wrote:
> I need to set up Secure POP for users so that info isnt transported in
> plain text. I need a good tutorial on how to accomplish this. I am
> running pop3s with Outlook clients. pop3s is working fine, but I want to
> get rid of the annoying little message that Outlook complains about
> whenever you open Outlook.
> Basically I need guidance on how to create a certificate that can be
> used on the Outlook client so that we are not prompted by the message
> continually. I have tried several tutorials, but Outlook doesnt want to
> accept my cert.
>
>
> Richard Humphrey
> System Administrator
> Multicam L.P.
> (972)929-4070
> richard at multicam.com
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
You can create a certificate server and make sure each Outlook client
uses a certificate to encrypt the mail. But, that would only work inside
your network. Once the mail goes outside, your encryption will fail you.
It's ironic that you would mention this today.
In the Department of Homeland Security Warning, they actually discussed
your issue. See below and at
http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm
Unfortunately, you can't get what you want using Microsoft Outlook.
If you're hooked to Exchange, the system is not RFP compliant and the
POP protocols do not fit RFP 822. The message is created using DCE
modified by Microsoft and the mail provider streams binary date to the
server which in turn converts the binary code to "their" POP format.
If you are using Internet Mail Only mode, then you have an undocumented
API which creates malformed RFP 822 style messages and shoots them over
the Internet.
You want to create a secure logon and keep the message from moving over
SMTP in something other than plain text. Well, so do I.
You could setup a VPN tunnel and connect to a server which encrypts the
messages. But, then, the receiving party would have to be able to
decrypt the message using a key.
Here's what DHS says in the UPDATED warning
There is a vulnerability in the part of RPC that deals with message
exchange over TCP/IP. The vulnerability results from the handling of
malformed messages. This particular vulnerability affects a Distributed
Component Object Model (DCOM) interface with RPC, which listens on RPC
enabled ports. This interface handles DCOM object activation requests
that are sent by client machines (such as Universal Naming Convention
(UNC) paths) to the server. An attacker who successfully exploited this
vulnerability would be able to run code with local system privileges on
an affected system. The attacker would be able to take any action on the
system, including installing programs, viewing changing or deleting
data, or creating new accounts with full privileges.
More information about the Discuss
mailing list