Re: securing pop3 sessions

Sun, 28 May 2000 01:34:20 -0700 

llu wrote:
> 
> [EMAIL PROTECTED] wrote:
> >
> > I'm using qmail 1.0.3 with the included qmail-pop3d.
> >
> > What's the best way on the server side to prevent passwords from being
> > sent as clear text over the network for a pop3 session?  I know users
> > will be reluctant to change their mua's. So what can I do on my side?
> > Is there any way around this without expecting anything from the pop
> > users?
> I use stunnel which doesn't require changes on qmail.
> Check this: http://security.fi.infn.it/tools/stunnel/index-en.html.
> 
> I can share my configuration to anyone interested.
> 
> LLU

I have been using stunnel to add SSL capability to qmail-pop3d without
making any changes to the latter. We know that qmail-pop3d listens on
port 110. There is port 995 which is for POP3 with SSL. I configured
stunnel to listen on port 995 accepting requests from SSL capable pop3
clients(I tested with Outlook 2000 and Mozilla M15/Linux), decrypts the
request and hand it over to qmail-pop3d running on the same host at port
110. I also use tcpserver on both qmail-pop3d and stunnel and have them
supervised(svscan). 

1. qmail-pop3d startup script (/var/qmail/supervise/qmail-pop3d/run):

#!/bin/sh
 
exec env - PATH="/var/qmail/bin:$PATH" \
        tcpserver 0 110 /var/qmail/bin/qmail-popup your.host.name.com \
                /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir
2>&1


2. stunnel startup script (/var/qmail/supervise/stunnel/run):

#!/bin/sh

exec env - PATH="/usr/local/sbin:$PATH" \
 tcpserver -c100 -H -llocalhost.your.domain.com \
 stunnel -d 995 -r localhost:110

That's it.

But you need to build openssl and stunnel as follows:

3. openssl 0.9.5a (www.openssl.org) 

./config
make
make test
make install

This installs opessl at /usr/local/ssl

4. stunnel-3.8 (http://mike.daewoo.com.pl/computer/stunnel)

./configure
make
make install
cp stunnel.pem /usr/local/ssl/certs
/usr/local/ssl/bin/c_rehash  (Important!)

This installs stunnel at /usr/local/sbin. And creates stunnel.pem which
you must copy to /usr/local/ssl/certs as above(Note: use this
stunnel.pem just for testing. You must create your own certificate and
possibly have it signed by CA (such as Verisign)). You can also create
and sign your own certificate using openssl.

I did the above on both RedHat 6.2 and Solaris 8 Intel(requires correct
PATH and LD_LIBRARY_PATH).

Hope this helps. Any improvements or criticisms I would like to know.

LLU

Reply via email to