Hi,

Is there a way to connect to FQ’s mail server without sending clear-text passwords over the net? And can I set this up for Outlook Express?

Erich

There are three ways to do this, the first of which is available now.

1. Connect to your site using a SSH client instead of telnet or FTP (which also send the clear-text password).[nbsp][nbsp]Most good SSH clients allow you to set up a "tunnel" to the server for POP (port 110) through which you can connect and have all your data encrypted.[nbsp][nbsp]This is probably the most secure option as all your traffic would be encrypted, but requires some reconfiguration on your end to work.

2. It is possible to tunnel POP through SSL encryption, but I'm not sure if Outlook Express supports this (it probably does, but I've never used OE). FutureQuest is not currently set up to accept SSL POP connections.[nbsp][nbsp]I cannot promise a date, but it should not be too difficult to set this up.

3. Outlook Express likely has support for using CRAM-MD5 to encrypt passwords. FutureQuest does not currently support this and is not likely to support it in the near future. This is also the least secure solution, as all your mail traffic will be sent in the clear, even though your password is encrypted.

I hope this helps.
------------------
Bruce Guenter
FutureQuest

Thank you Bruce for your answer. Perhaps I have to explain in more detail, why I’m concerned.

I have a SOHO network here with two NT workstations, one Linux server and one Windows 98 computer for the kids. The Linux server is set up as a masquerading firewall router and runs all the stuff we need for our job. It is attached to a cable connection with the outer interface.

While the firewall is quite dense – I offer no services to the web, have all outer ports closed beside dns and ntp, and have the latest security patches installed - there are two scenarios that make me shiver: first, that someone brakes into the Linux box and installs a root kit without me noticing this. Second scenario is, that my kids, my wife or perhaps me myself get infected by a trojan. In both scenarios it is very easy for the intruder to capture all our passwords and all our customer’s passwords, as many applications send them unencrypted over the net and I can see them myself when using ngrep as I did lately for checking the HTTP headers in a language negotiation.

I know I should and I will install a more secure setup with an IDS and with tripwire or something similar but things take time und I’m no Linux or security expert. So the first thing I thought I can do is to avoid clear-text passwords when ever possible. I have no need for full encryption as we normally have no secrets in our data or mail and I’m hopefully not paranoid but I know I can get a lot of trouble, if I loose a customer’s password.

I already use SecureCRT for telnet and sometimes for local X but did not know that I can install SSH in a way that makes outgoing connections secure. I will do an online search on that after getting my morning coffee (it’s 7:10 am local time) …

Erich