[tpop3d-discuss] Hiding identifying information (was: Make tpop3d not run as root, and send another banner..)
Chris Lightfoot
chris at ex-parrot.com
Fri, 9 Aug 2002 16:33:02 +0100
On Fri, Aug 09, 2002 at 04:24:25PM +0100, Chris Elsworth wrote:
>
> A couple of sacrifices like this are more than acceptable, I think, in
> order to gain increased security. The option is there, if you don't
> use APOP, then you may wish to use it :) I wouldn't say its a reason
> not to put it in, though.
>
I'm not entirely certain what you want to achieve here. Is
it,
- make tpop3d indistinguishable from other POP3
servers, so that it is difficult to establish what
software a machine is running; or
- make it impossible to establish the email domain
name associated with a machine?
While I wouldn't quarrel with the desire to do either of
those things -- though they are of perhaps questionable
usefulness -- they are not necessarily best achieved in
the way that you suggest.
In particular,
- Establishing that a server is tpop3d is probably
best done by looking at the responses to commands
(whether snide or not). If you want to make tpop3d
look like another server, you'll need to alter at
least the response messages which may get sent
during the authentication phase.
- If you don't want to give out your domain name, you
can just set the domain name which tpop3d sends
using the listen-address config directive; in the
CVS version of tpop3d, you can use the `mass virtual
hosting' option to send one based upon the address
to which a client connects.
--
``There are those who are troubled 100 percent about the situation in Vietnam.
That goes double for me.'' (Lyndon Baines Johnson)