Securing Pop3

Securing pop3 and pop3s.
In this example is being launched throug inetd:

ocm@achtung:~$ sudo lsof -i | grep -i pop
inetd     1271      root    4u  IPv4   8656      0t0  TCP *:pop3 (LISTEN)
inetd     1271      root    5u  IPv4   8659      0t0  TCP *:pop3s (LISTEN)

Disable inetd launching, you only have to comment the following lines:

ocm@achtung:~$ sudo grep pop /etc/inetd.conf
pop3    stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/ipop3d
pop3s   stream  tcp     nowait  root    /usr/sbin/tcpd /usr/sbin/ipop3d

Check:

ocm@achtung:~$ sudo service openbsd-inetd restart
 * Restarting internet superserver inetd                                                                       * Not starting internet superserver: no services enabled
ocm@achtung:~$ sudo netstat -ntlp | grep inetd
ocm@achtung:~$

No more services through inetd, so please disable it:

ocm@achtung:~$ sudo update-rc.d -f openbsd-inetd remove
 Removing any system startup links for /etc/init.d/openbsd-inetd ...
   /etc/rc0.d/K20openbsd-inetd
   /etc/rc1.d/K20openbsd-inetd
   /etc/rc2.d/S20openbsd-inetd
   /etc/rc3.d/S20openbsd-inetd
   /etc/rc4.d/S20openbsd-inetd
   /etc/rc5.d/S20openbsd-inetd
   /etc/rc6.d/K20openbsd-inetd
ocm@achtung:~$

Although we want to disable at default, we might want to learn how to limit the available ips to reach it… this could be useful for many services, but pop and mail related depends on many origins which could want to reach that service will be informed or not, so best leave it in this "insecure way" for the moment.