Hello,
I've spent the past few days learning about securing popper, and I'd like
to use qpopper 4's SSL support to connect with Outlook, Outlook Express, or
Netscape.
I followed the instructions in the FAQ and qpopper.pdf on how to create a
dummy test CA + key pair and certificate for the server + have that CA
certify the server's certificate. When launching popper in stand-alone
mode, no process listens on port 995.
1. Compile OpenSSL, create a dummy CA, create a pair of keys and a
certificate for the server, and certify its certificate:
//Where to save files
mkdir -p -m665 /etc/mail/pop/certs
chown root:mail /etc/mail/pop/certs
chmod 660 /etc/mail/pop/certs
//Create public/private keys for server
openssl req -new -nodes -out /etc/mail/pop/certs/req.pem -keyout
/etc/mail/pop/certs/cert.pem
chmod 600 /etc/mail/pop/certs/cert.pem
chown root:0 /etc/mail/pop/certs/cert.pem
//Create dummy CA, and certify server's certificate
openssl genrsa -des3 -out /etc/mail/pop/certs/ca.key 1024
openssl req -new -x509 -days 365 -key /etc/mail/pop/certs/ca.key -out
/etc/mail/pop/certs/ca.crt
openssl x509 -req -CA /etc/mail/pop/certs/ca.crt -CAkey
/etc/mail/pop/certs/ca.key -days 365 -in /etc/mail/pop/certs/req.pem -out
/etc/mail/pop/certs/signed-req.pem -CAcreateserial
cat /etc/mail/pop/certs/signed-req.pem >> /etc/mail/pop/certs/cert.pem
------------------------ STAND-ALONE MODE
2. Compile qpopper for SSL + APOP + stand-alone mode
./configure --enable-shy --enable-specialauth --enable-apop
--enable-standalone --with-openssl --with-gdbm
3. Launch qpopper in stand-alone mode with a basic configuration file:
set tls-support = stls
set tls-server-cert-file = /etc/mail/pop/certs/cert.pem
./popper -f ./qpopper.config
=> No process listening on port 995!
------------------------ XINETD MODE
Just to check if this was due to popper running in stand-alone mode, I left
/etc/services as is (pop3s already included by RH),
copy/pasted/etc/xinetd.d/pop3 as pop3s, and killall -HUP xinetd:
1. ./configure --enable-shy --enable-specialauth --enable-apop
--enable-standalone --with-openssl --with-gdbm
2. service pop3s
{
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/popper
server_args = qpopper -l 1
port = 995
}
... where -l 1 is supposed to allow SSL. netstat -tuplan sez still nothing
on port 995.
3. Create a dummy user account in /etc/passwd + shadow (ie. no APOP
account), and connect with OExpress 5 (Log on using SPA is off, POP3/This
server requires a secure connection is on):
Linux=
May 9 14:41:55 linuxff popper[6022]: Error setting certificate PEM file
May 9 14:41:55 linuxff popper[6022]: ...SSL error: error:0200100E:system
library:fopen:Bad address
May 9 14:41:55 linuxff popper[6022]: ...SSL error: error:20074002:BIO
routines:FILE_CTRL:system lib
May 9 14:41:55 linuxff popper[6022]: ...SSL error: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
May 9 14:41:55 linuxff popper[6022]: Failed initializing TLS/SSL
May 9 14:41:55 linuxff popper[6023]: Error setting certificate PEM file
May 9 14:41:55 linuxff popper[6023]: ...SSL error: error:0200100E:system
library:fopen:Bad address
May 9 14:41:55 linuxff popper[6023]: ...SSL error: error:20074002:BIO
routines:FILE_CTRL:system lib
May 9 14:41:55 linuxff popper[6023]: ...SSL error: error:140AD002:SSL
routines:SSL_CTX_use_certificate_file:system lib
May 9 14:41:55 linuxff popper[6023]: Failed initializing TLS/SSL
OE=
"Your server has unexpectedly terminated the connection."
4. Moved /etc/mail/pop/certs/cert.pem to /usr/local/ssl/certs, just in
case, with no change.
Any kind soul could explain where I'm wrong?
Thx for any tip
FF.
