[techtalk] POP mail security

Laurel Fan lf25+ at andrew.cmu.edu
Sat Jan 8 03:34:28 EST 2000


Excerpts from linuxchix: 8-Jan-100 Re: [techtalk] POP mail sec.. by
"Jenn V."@simegen.com 
> Presumably, since I /think/ the original requester wrote saying 'I looked
> there', she didn't.

Well, the original requester didn't say anything about having looked
anywhere.  Note that the original requester was Subba Rao, and the
person who replied to my mail, and who I replied to was Linda Walsh (who
did mention something about reading manpages).  I assumed they aren't
the same person.  If you are, stop posting under 2 different names, its
confusing :)
  
> When I'm doing what you seemed to intend to do, I cut the relevent bit from
> the man page and say 'I found this in man XYZ'. That both gives the answer,
> and provides a further-reading hint.
>  
> Note also that her installation may not include the same man pages that
> yours does.

True, but she said she was using fetchmail, and I assume that her
fetchmail package installed a manpage.  I've used only one distribution
that doesn't include manpages, Linux Router Project, and that's really
not-for-newbies (and anyone who uses LRP probably knows where to find
manpages on the web or on a second computer anyway).  If you in fact
don't have one:
  http://www.tuxedo.org/~esr/fetchmail/fetchmail-man.html
 
> Note the 'and reading' bit. You and I can look at the exact same file and
> receive different information from it. It never hurts to clip the portion
> of information that included the answer.

I did say to search for secure and told her how to do so in case she
didn't know how and didnt feel like reading the manpage for more.  I
figured the mail was already long enough, and the information wasn't
really useful without the rest of the manpage anyway, but here it is if
you want it:

       -p, --protocol 
              (Keyword:  proto[col])  Specify the protocol to use
              when communicating with the remote mailserver.   If
              no  protocol  is  specified,  the  default is AUTO.
              proto may be one of the following:
...
              APOP   Use POP3 with MD5 authentication.
...
 
       RFC1460  introduced  APOP authentication.  In this variant
       of POP3, you register an APOP password on your server host
       (the  program  to  do  this with on the server is probably
       called popauth(8)).  You put the  same  password  in  your
       .fetchmailrc  file.  Each time fetchmail logs in, it sends
       a cryptographically secure hash of your password  and  the
       server greeting time to the server, which can verify it by
       checking its authorization database.
  
> The list also specifically says not to tell people to RTFM. I appreciate
> that that was not your intention, but I recall glancing at your answer and
> thinking 'uh, that's perilously close to a blunt RTFM. 

Hm.  I don't read the no-RTFM rule as "don't give people manpages to
read"; I thought it was because a simple "RTFM" is not helpful, whereas
"The answer is in x manpage, I found it by searching for x keyword, and
it's also in x faq, here's how i found it and here's the url" is helpful.

> A newbie is going to
> be put off and upset by that one'.

Well, it's difficult to tell how much a person knows.  What might be
insulting to one person may be totally new information to another.  For
example, I remember asking something like "What's the command that does
x?" and receiving the answer "Apropos it yourself," which was probably
intended to be rude, but was actually very helpful, since I didn't know
about the apropos command.  And so I don't get yelled at, here is the
relevant bit of the apropos manpage: ;)

       Each manual page has a short description available  within
       it.   apropos  searches  the descriptions for instances of
       keyword.

I try not to overestimate or underestimate the knowledge or experience
of an asker, but sometimes it's difficult to tell, and I generally go by
the rule "if they knew how to do this, they would have found the answer
in 10 minutes and wouldn't be asking".  

I think you probably found my reply insulting because you know perfectly
well what the man command is and that man is short for manual, and how
to use more, and what the LDP and OSWG are, wheras a newbie might go
"huh? what's this man thing? i thought this list was for women! and how
do you remember all of these urls?".  

I'll try to explain why I wrote what I wrote:
. What man is and how to use it
A newbie might not know about man.  If so, she might not know what man
stands for, or how to use the command.  If she doesn't know how to use
it, the usage string would probably be quite cryptic, and she obviously
wouldn't be able to read the man manpage.

. How to search in man
This is non-obvious. It's not even clear where to look for this
information.  The man manpage doesn't say how to search within a
document, because that's taken care of by the pager.  For someone who is
not familiar with the unix, it is not intuitive that man would use an
external program as a pager, and not obvious that it uses more.  

. LDP and OSWG 
Not everyone knows about these, and they have a lot of useful information.

. Finding a project web page with freshmeat
The project web page usually has an FAQ, which can help a lot if your
question is a FAQ.  Using freshmeat to find it is a real time saver
compared to search engines, and not everyone knows that freshmeat has
links to project web pages.

If the asker does know how to do all of this, and is insulted, I'm
sorry, but I'm glad you're insulted because you just wasted my time.

> A way to do the same thing, but present it better, is to pass on the
> information and /then/ say 'here's how I found it'.

Yeah, I guess.  I just sort of figured she could scroll past the stuff
and just go for the urls if she wanted.  I wrote it while doing it (I
didn't have the information before I looked for it), and I was on my out
so I didn't feel like editing it :)

Hm.. an even better way to present it would be in an xml document with
the information and 'here's how I found it' marked up as that.  But I
don't think the linux-help dtd has been written yet, and anyway, someone
would probably yell at me for sending html to the list.  Ignore me, I'm
on an xml kick.. 

************
techtalk at linuxchix.org   http://www.linuxchix.org




More information about the Techtalk mailing list