LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-04-2004, 09:39 AM   #1
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Rep: Reputation: 30
SSL over POP on qmail


I have found plenty of sites on how to enable SSL over imap for qmail. Can anyone recomend sites for SSL over POP3?


Thanks

Justyn
 
Old 11-04-2004, 10:54 AM   #2
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
I don't know of any howtos for this, but I can tell you how to do it....

(1) Upgrade your stunnel package to v4.

(2) Create a config file for stunnel. (replace my.domain.com with yours... this also assumes you're running vpopmail... if not, just change that vpopmail line to whatever yours happens to be)

Code:
cd /var/qmail/control
cat > pop3s.conf <<EOF
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup my.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
EOF
(3) create servercert.pem (or construct your own cert)

Code:
openssl req -new -x509 -nodes -out servercert.pem -days 366 -keyout servercert.pem
(4) Change your qmail-pop3d/run file

Code:
#!/bin/sh
exec /usr/local/bin/softlimit -m 7000000 \
/usr/local/bin/tcpserver -H -R -v -l 0 -c100 0 995 \
/usr/sbin/stunnel /var/qmail/control/pop3s.conf 2>&1
That's it! Restart qmail and test.
 
1 members found this post helpful.
Old 11-04-2004, 11:00 AM   #3
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
what do I name the config file for stunnel as and where do I put it?
 
Old 11-04-2004, 11:10 AM   #4
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
If you follow my commands... the first line of code is cd /var/qmail/control. This is where your cert goes and where the stunnel conf file goes. The file is named pop3s.conf.
 
Old 11-04-2004, 11:59 AM   #5
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
Nada. If I nmap my localhost I see pop3s running on port 995. However both Thunderbird and OE say they cannot connect. Is there a another step I'm missing? I'm a complete newbie when it comes to SSL so please bear with me.
 
Old 11-04-2004, 12:13 PM   #6
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
Well, you need to tell your email client to point to 995 instead of the usual port 110. While you're in there, you'll also need to tell it to use SSL.

You can test your pop3s connection at the prompt using...

openssl s_client -connect 127.0.0.1:995

It sounds like it's running on your machine but you're just having trouble connecting to it from the outside.
 
Old 11-04-2004, 03:04 PM   #7
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
machine attempts to use 995. I made sure of that part :P
 
Old 11-04-2004, 03:30 PM   #8
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
One thing... You may want to be sure the permissions on the certificate is read only by the owner and no other permissions.... I think the owner and group should be root/root. I know that was a problem for me. Once I got the perms correct, it started working fine.

Hold on a minute... I just realized something... I have a seperate supervise for my secure stuff. I copied /var/qmail/supervise/qmail-pop3d and made /var/qmail/supervise/qmail-pop3ds for the secure version. The run file we created in that earlier post goes under there. This way, I still have normal pop3 running on port 110 so it doesn't interfere with the one running on 995.

I also have /var/log/qmail/qmail-pop3ds directory so it logs to there. That also means I have /var/qmail/supervise/qmail-pop3ds/log/run file that is identical in permission and content as the normal qmail-pop3d. That way, I have seperate logging for the secure version too.

Maybe that's what you need to do on yours.

Sorry for not being more clear about all that.
 
Old 11-23-2004, 11:32 AM   #9
kemplej
Member
 
Registered: Dec 2003
Posts: 235

Original Poster
Rep: Reputation: 30
it sorta works now. It sees the cert. However its complaining about file premissions on the cert. And I have put root/root as owner/group
 
Old 11-23-2004, 02:35 PM   #10
Donboy
Member
 
Registered: Aug 2003
Location: Little Rock, Arkansas
Distribution: RH, Fedora, Suse, AIX
Posts: 736

Rep: Reputation: 31
You want the permissions to be read only for just the owner... in this case root.

if you're running vpopmail, the permissions are the same, but you probably want vpopmail/vchkpw as the user/group.
 
Old 03-13-2013, 07:57 AM   #11
bodmas79
LQ Newbie
 
Registered: Apr 2010
Posts: 4

Rep: Reputation: 0
Thumbs up Thanks for saving me

Dear Friend, Thank for saving my time. Wish you good luck. Give us such thing more and more.
Quote:
Originally Posted by Donboy View Post
I don't know of any howtos for this, but I can tell you how to do it....

(1) Upgrade your stunnel package to v4.

(2) Create a config file for stunnel. (replace my.domain.com with yours... this also assumes you're running vpopmail... if not, just change that vpopmail line to whatever yours happens to be)

Code:
cd /var/qmail/control
cat > pop3s.conf <<EOF
cert = /var/qmail/control/servercert.pem
exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup my.domain.com /home/vpopmail/bin/vchkpw /var/qmail/bin/qmail-pop3d Maildir
EOF
(3) create servercert.pem (or construct your own cert)

Code:
openssl req -new -x509 -nodes -out servercert.pem -days 366 -keyout servercert.pem
(4) Change your qmail-pop3d/run file

Code:
#!/bin/sh
exec /usr/local/bin/softlimit -m 7000000 \
/usr/local/bin/tcpserver -H -R -v -l 0 -c100 0 995 \
/usr/sbin/stunnel /var/qmail/control/pop3s.conf 2>&1
That's it! Restart qmail and test.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Qmail (Qmail-pop3d) pop login problem Punker51 Linux - Software 2 07-22-2004 03:52 PM
SSL pop up box tommytomato Linux - General 1 07-03-2004 06:13 AM
noob question about pop/smtp and ssl caid Linux - Security 3 02-16-2004 07:17 PM
Integrate IMAP and POP with SSL dominant Linux - Software 1 01-24-2004 02:51 PM
qmail: pop before smtp - HOW? Zingaro2002 Linux - Software 2 07-14-2003 04:46 AM


All times are GMT -5. The time now is 04:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration