Try to change port for pop3 use some weired port, and specify that port in y= our gmail account for fetching, it's not full proof but it might work for yo= u Kapil Jain Sent from my iPad On 02-May-2011, at 5:30 PM, freebsd-security-request@freebsd.org wrote: > Send freebsd-security mailing list submissions to > freebsd-security@freebsd.org >=20 > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-security > or, via email, send a message with subject or body 'help' to > freebsd-security-request@freebsd.org >=20 > You can reach the person managing the list at > freebsd-security-owner@freebsd.org >=20 > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." >=20 >=20 > Today's Topics: >=20 > 1. limiting pop access to gmail servers ? (George Sanders) > 2. Re: limiting pop access to gmail servers ? (Patrick Proniewski) > 3. Re: limiting pop access to gmail servers ? (Gleb Kurtsou) > 4. Re: limiting pop access to gmail servers ? (cronfy) > 5. Re: limiting pop access to gmail servers ? > (freebsd-lists@albury.net.au) >=20 >=20 > ---------------------------------------------------------------------- >=20 > Message: 1 > Date: Sun, 1 May 2011 15:55:25 -0700 (PDT) > From: George Sanders <gosand1982@yahoo.com> > Subject: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org > Message-ID: <349555.87646.qm@web120019.mail.ne1.yahoo.com> > Content-Type: text/plain; charset=3Dus-ascii >=20 >=20 >=20 > We run our own (freebsd) mail server. It's a pretty classic, old fashione= d=20 > /var/mail/username setup. >=20 > We have enabled POP so that certain people can pop their mail from us, and= use=20 > gmail as their mail client. >=20 > However, we have no other POP users ... and I don't want POP open to the w= hole=20 > world ... >=20 > BUT, I suspect there are a LOT of possible IPs that google will use to pop= mail=20 > from us ... >=20 > Is there an authoritative list ? >=20 > Anyone else blocking POP access to everyone BUT google ? >=20 >=20 > ------------------------------ >=20 > Message: 2 > Date: Mon, 2 May 2011 08:18:30 +0200 > From: Patrick Proniewski <patpro@patpro.net> > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders <gosand1982@yahoo.com> > Cc: freebsd-security@freebsd.org > Message-ID: <3FF47F45-A59F-4542-A65E-6069300D9224@patpro.net> > Content-Type: text/plain; charset=3D"us-ascii" >=20 > Hello, >=20 > On 02 mai 2011, at 00:55, George Sanders wrote: >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail=20 >> from us ... >=20 > You are right about that. According to my pop logs, my servers have encoun= ter about 1000 different IPs from google (920 actually).=20 > Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.= com > By the way, I'm in europe, I'm not sure USA, Australia or Japan would see t= he same gmail POP clients. >=20 >> Is there an authoritative list ? >=20 > I don't know. >=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > I don't. >=20 > patpro >=20 > ------------------------------ >=20 > Message: 3 > Date: Mon, 2 May 2011 12:42:04 +0600 > From: Gleb Kurtsou <gleb.kurtsou@gmail.com> > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders <gosand1982@yahoo.com> > Cc: freebsd-security@freebsd.org > Message-ID: <BANLkTikgQM=3D-d41dCCDPpO-xBHOOy+CEbw@mail.gmail.com> > Content-Type: text/plain; charset=3DUTF-8 >=20 > On Mon, May 2, 2011 at 4:55 AM, George Sanders <gosand1982@yahoo.com> wrot= e: >>=20 >>=20 >> We run our own (freebsd) mail server. It's a pretty classic, old fashion= ed >> /var/mail/username setup. >>=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >>=20 >> Is there an authoritative list ? >>=20 >> Anyone else blocking POP access to everyone BUT google ? >=20 > Didn't try it myself, just a wild guess. Hopefully google pop clients > use real ssl certificates signed by google to authenticate. Mutual ssl > authentication is hardly ever used, but still. >=20 > Setup pop over ssl and check for google certificates instead. >=20 > Gleb. >=20 >=20 > ------------------------------ >=20 > Message: 4 > Date: Mon, 2 May 2011 10:41:59 +0400 > From: cronfy <cronfy@gmail.com> > Subject: Re: limiting pop access to gmail servers ? > To: freebsd-security@freebsd.org, gosand1982@yahoo.com > Message-ID: <BANLkTikEoddderju8un4jRouVWDBvPPZ8g@mail.gmail.com> > Content-Type: text/plain; charset=3DUTF-8 >=20 > Hi, >=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p >> mail >>> from us ... >>=20 >> You are right about that. According to my pop logs, my servers have >> encounter about 1000 different IPs from google (920 actually). >> Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*. >> google.com >> By the way, I'm in europe, I'm not sure USA, Australia or Japan would see= >> the same gmail POP clients. >>=20 >=20 >=20 > You can make active checks for incoming connections. If reverse DNS record= > is valid (ip -> resolves to name -> resolves to same ip) and it matches '.= * > google.com$' regexp, then it is Google. >=20 >=20 > --=20 > =D0=9E=D0=BB=D0=B5=D0=B3 =D0=9F=D0=B5=D1=82=D1=80=D0=B0=D1=87=D0=B5=D0=B2 >=20 >=20 > ------------------------------ >=20 > Message: 5 > Date: Mon, 2 May 2011 17:23:07 +1000 (EST) > From: freebsd-lists@albury.net.au > Subject: Re: limiting pop access to gmail servers ? > To: George Sanders <gosand1982@yahoo.com> > Cc: freebsd-security@freebsd.org > Message-ID: <20110502171811.Y39066@ali-syd-1.albury.net.au> > Content-Type: TEXT/PLAIN; charset=3DUS-ASCII; format=3Dflowed >=20 >=20 >=20 >> We have enabled POP so that certain people can pop their mail from us, an= d use >> gmail as their mail client. >>=20 >> However, we have no other POP users ... and I don't want POP open to the w= hole >> world ... >>=20 >> BUT, I suspect there are a LOT of possible IPs that google will use to po= p mail >> from us ... >=20 >=20 > While not a "strong" solution, out-of-the box, I'd suggest in=20 > /etc/hosts.allow (probably after the "paranoid" line to make inetd check=20= > fwd/reverse match) >=20 > ALL : PARANOID : RFC931 20 : deny >=20 > assuming you use qpopper (change as required) >=20 > qpopper : .google.com : allow > qpopper : x.x.x.0/255.255.255.0 : allow (your directly-connected use= rs) > qpopper : all : deny >=20 >=20 > RossW >=20 >=20 > ------------------------------ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org= " >=20 > End of freebsd-security Digest, Vol 371, Issue 1 > ************************************************ _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"