[tpop3d-discuss] Hiding identifying information (was: Make tpop3d not run as root, and send another banner..)

[Chris Lightfoot]

On Fri, Aug 09, 2002 at 04:24:25PM +0100, Chris Elsworth wrote:
> 
> A couple of sacrifices like this are more than acceptable, I think, in
> order to gain increased security. The option is there, if you don't
> use APOP, then you may wish to use it :) I wouldn't say its a reason
> not to put it in, though.
> 

I'm not entirely certain what you want to achieve here. Is
it,

    - make tpop3d indistinguishable from other POP3
      servers, so that it is difficult to establish what
      software a machine is running; or

    - make it impossible to establish the email domain
      name associated with a machine?

While I wouldn't quarrel with the desire to do either of
those things -- though they are of perhaps questionable
usefulness -- they are not necessarily best achieved in
the way that you suggest.

In particular,

    - Establishing that a server is tpop3d is probably
      best done by looking at the responses to commands
      (whether snide or not). If you want to make tpop3d
      look like another server, you'll need to alter at
      least the response messages which may get sent
      during the authentication phase.

    - If you don't want to give out your domain name, you
      can just set the domain name which tpop3d sends
      using the listen-address config directive; in the
      CVS version of tpop3d, you can use the `mass virtual
      hosting' option to send one based upon the address
      to which a client connects.

-- 
``There are those who are troubled 100 percent about the situation in Vietnam.
  That goes double for me.'' (Lyndon Baines Johnson)