How to live with existing passwords

• Full session encryption (ssh/ssl)

• POP/IMAP over SSH (via fetchmail):

• poll localhost port 12345 with protocol POP3

• user yourremotelogin with pass yourremotepasswd is yourlocallogin here

• preconnect "ssh -f -P -L 12345:pop.domain.tld:110 shellbox.domain.tld sleep 20 </dev/null >/dev/null"

• mda "/usr/sbin/sendmail -oem -f %F %T"

• fetchall

• POP SSL/IMAP SSL (in inetd.conf):

• pop3s stream tcp nowait sslwrap /usr/sbin/tcpd /usr/local/sbin/sslwrap

• -cert /usr/local/ssl/certs/server.pem -port 110

• imaps stream tcp nowait nobody /usr/sbin/tcpd /usr/local/sbin/sslwrap -cert /usr/local/ssl/certs/server.pem -port 143

• Force different passwords for insecure services (pop/ftp)

• <Anonymous ~ftp/pub/private/>

• AuthAliasOnly on

• RequireValidShell off

• User ftp

• Group nogroup

• UserPassword user1 nKLHU8VoDeuSU # foo

• UserPassword user2 tpxLIVgNx4jnM # bar

• UserAlias user1 ftp

• UserAlias user2 ftp

• MaxClients 20 "Sorry, max %m users -- try again later"

• # Limit WRITE everywhere in the anonymous chroot

• <Directory *>

• <Limit WRITE>

• DenyAll

• </Limit>

• </Directory>

• TransferLog /var/log/xferlog.media

• ExtendedLog /var/log/xferlog.media.ext all

• </Anonymous>