Some security-related suggestions

Michael D'Errico <Mike@software.com> Wed, 08 June 1994 19:12 UTC

Received: from ietf.nri.reston.va.us by IETF.CNRI.Reston.VA.US id aa05466; 8 Jun 94 15:12 EDT
Received: from CNRI.RESTON.VA.US by IETF.CNRI.Reston.VA.US id aa05462; 8 Jun 94 15:12 EDT
Received: from PO2.ANDREW.CMU.EDU by CNRI.Reston.VA.US id aa12322; 8 Jun 94 15:12 EDT
Received: (from postman@localhost) by po2.andrew.cmu.edu (8.6.7/8.6.6) id OAA15747; Wed, 8 Jun 1994 14:41:45 -0400
Received: via switchmail for ietf-pop3+@andrew.cmu.edu; Wed, 8 Jun 1994 14:41:44 -0400 (EDT)
Received: from po3.andrew.cmu.edu via qmail ID </afs/andrew.cmu.edu/service/mailqs/q003/QF.shxV2JO00UdbJOTU5g>; Wed, 8 Jun 1994 14:40:22 -0400 (EDT)
Received: from rome.software.com (rome.software.com [198.17.234.2]) by po3.andrew.cmu.edu (8.6.7/8.6.6) with ESMTP id OAA23161 for <ietf-pop3@andrew.cmu.edu>; Wed, 8 Jun 1994 14:40:14 -0400
Received: from rome (rome.software.com [198.17.234.2]) by rome.software.com with SMTP id AAA7594 for <ietf-pop3@andrew.cmu.edu>; Wed, 8 Jun 1994 11:40:10 -0700
Date: Wed, 8 Jun 1994 11:40:09 -0700 (PDT)
Sender: ietf-archive-request@IETF.CNRI.Reston.VA.US
From: Michael D'Errico <Mike@software.com>
Subject: Some security-related suggestions
To: ietf-pop3@andrew.cmu.edu
Message-ID: <Pine.3.89.9406081146.A7513-0100000@rome>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Although in the past the POP3 spec. has not discussed security
issues, I think it would be a good idea to add a few:

      - The POP3 server should always return +OK to
        the USER command, even if the user is not
        recognized.

      - The POP3 server should limit the number of
        unsuccessful login attempts allowed before
        closing a connection.

      - After a failed authentication attempt, either
        via USER/PASS or APOP, the POP3 server should
        pause for a few seconds.

These precautions make it much more difficult for someone to
guess other user's passwords.

Michael D'Errico
mike@software.com