Greetings All. Statement of the Problem: Outlook 2000 fails to retrieve mail over SSL POP3 using QPopper 4.0.4
Environment: Solaris 2.5.1 / QPopper 4.0.4 / OpenSSL 0.9.6b / Sendmail 8.12.3 / SASL 1.5.27 / Outlook 2000 / NT4 SP6a As I understand it, QPopper 4.0.4 contains support to use the 110 port for both SSL/TLS and non-SSL/TLS connections. I can get QPopper 4.0.4 to work with SSL/TLS over alternate port of 995 but since Norton AntiVirus E-Mail scanning doesn't support any non-standard ports, I can't use 'tls-support=alternate-port'. (My boss won't give this up this feature.) ---------------------------------------------------------------------------- ------------------------------------- [Symantec Knowledge Base Article] Does Norton AntiVirus email scanner scan email downloaded by an Internet service provider using Secured Socket Layer? Situation: You have an Internet service provider (ISP) that uses the Secured Socket Layer (SSL) protocol to download email to its incoming POP3 server. When you configure Norton AntiVirus (NAV) email scanning to scan email attachments, the program does not appear to scan email attachments Solution: NAV email scanning does not work with an ISP that is using the SSL protocol. Also, NAV email scanning will only scan email that arrives on default ports 110 or 25. ---------------------------------------------------------------------------- ------------------------------------- Some solution.... So, I make the following config: /etc/mail/pop/qpopper.config: set tls-support = stls set tls-server-cert-file = /etc/mail/certs/CAcert.pem set tls-private-key-file = /etc/mail/certs/CAkey.pem /etc/services: pop3 110/tcp # Post Office /etc/inetd.conf: pop3 stream tcp nowait root /usr/local/sbin/popper -l1 -p2 -f /etc/mail/pop/qpopper.config Outlook 2000: Tools / Options / Mail Delivery / Accounts / Properties / Servers [ENABLED "My server requires authentication"] Tools / Options / Mail Delivery / Accounts / Properties / Advanced [Outgoing Mail (SMTP) 25] [ENABLED "This server requires a secure connection (SSL"] [Incoming Mail (POP3) 110] [ENABLED "This server requires a secure connection (SSL"] Tools / Options / Mail Delivery / Accounts / Properties / Security / Settings / Signing Certificate [This is the personal certificate signed by self-signed CA.] CA Certficate: (See end of Post) Outbound SSL on port 25 through Outlook works fine so there's nothing wrong with the certificate. When I attempt the POP, a successful connection is never made. QPopper tracefile shows: [5802] Set tls-support to STLS (2) [5802] Set tls-server-cert-file to "/etc/mail/certs/CAcert.pem" [5802] Set tls-private-key-file to "/etc/mail/certs/CAkey.pem" [5802] (null) at adsl-63-197-28-194.dsl.snfc21.pacbell.net (63.197.28.194): -ERR Unknown command: "". [5802] (null) at adsl-63-197-28-194.dsl.snfc21.pacbell.net (63.197.28.194): -ERR POP EOF or I/O Error When I monitor the connection with 'ssldump' I see: Unknown SSL content type 43 3 0.0526 (0.0477) C>S TCP FIN 3 2 0.0547 (0.0021) S>CShort record Unknown SSL content type 45 3 3 0.0554 (0.0006) S>CShort record I posted this error message to openssl-users and got back the follwing response from Eric Rescorla (Author of 'SSL and TLS: Designing and Building Secure Systems' [http://www.amazon.com/exec/obidos/ASIN/0471383546/ref=pd_sxp_elt_l1/002-897 2619-4150440] so I'm willing to accept it face value. ... As for what's going on, are you sure that the POP3 server is listening with SSL on port 110? The POP3S port appears to be 995, not 110. My guess would be that what's listening on port 110 is normal POP. Try telnetting to port 110 to see if you get the POP banner. If so that's what's going on. .... Well, the answer was 'yes', because I had 'set-tls-support=stls' and used the '-l1 -p2' switches in inetd.conf. My brain tells me that this should've worked. Did I put on my stupid hat again? Can this work? What did I do wrong? R. Damian Koziel Complete ssldump log: New TCP connection #3: talos(1337) <-> mail.xidak.com(110) 3 1 0.0049 (0.0049) C>SV3.1(91) Handshake ClientHello Version 3.1 random[32]= ec 93 7b b3 2f d8 7c cf 83 d4 c9 b1 10 d2 26 c4 44 a2 7d cb 0d a2 da f1 cb f6 98 49 f8 ea 8a c0 resume [32]= 47 d9 cb c1 ce bd 49 23 7d a1 0e b5 c8 74 6d 06 0d 2e 94 48 85 df a9 c5 fe bc bb 0b 69 f1 19 6c cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL Unknown SSL content type 43 3 0.0526 (0.0477) C>S TCP FIN 3 2 0.0547 (0.0021) S>CShort record Unknown SSL content type 45 3 3 0.0554 (0.0006) S>CShort record New TCP connection #4: talos(1339) <-> mail.xidak.com(110) 4 1 0.0051 (0.0051) C>S SSLv2 compatible client hello Version 128.1 cipher suites Unknown SSL content type 43 Unknown SSL content type 128 4 2 1.0488 (1.0436) C>SShort record 4 1.0488 (0.0000) C>S TCP FIN 4 3 1.0509 (0.0020) S>CShort record Unknown SSL content type 45 4 4 1.0516 (0.0006) S>CShort record New TCP connection #5: talos(1340) <-> mail.xidak.com(110) 5 1 0.0104 (0.0104) C>SV3.0(59) Handshake ClientHello Version 3.0 random[32]= 45 96 d8 ca 1d af 23 79 5a eb 45 8a 44 ab e1 73 16 f0 8a 1f e9 ee 2c 81 93 13 e5 0f 40 db 0c 80 cipher suites SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT1024_WITH_RC4_56_SHA SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 compression methods NULL Unknown SSL content type 43 5 1.0444 (1.0340) C>S TCP FIN 5 2 1.0466 (0.0022) S>CShort record Unknown SSL content type 45 5 3 1.0473 (0.0007) S>CShort record New TCP connection #6: talos(1341) <-> mail.xidak.com(110) Version 2 Client. 6 1.0493 (1.0493) C>S TCP FIN Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: md5WithRSAEncryption Issuer: C=US, ST=California, L=Redwood City, O=XIDAK, Inc., OU=MAINSAIL Technology, [EMAIL PROTECTED] Validity Not Before: Jun 12 20:10:34 2002 GMT Not After : Jun 12 20:10:34 2003 GMT Subject: C=US, ST=California, L=Redwood City, O=XIDAK, Inc., OU=MAINSAIL Technology, [EMAIL PROTECTED] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:e0:17:5b:f6:7d:d0:0f:aa:3e:82:dc:b0:0b:7c: c8:64:97:85:e4:bb:7e:6f:64:21:b9:fa:92:cb:c7: 83:8b:db:13:c0:ef:73:f7:ad:a1:bc:7c:11:95:f6: 97:0e:bd:a9:30:b3:a6:1b:15:5b:fa:af:9b:9e:a3: 82:41:94:42:f5:62:f2:57:8c:85:63:d9:89:d7:81: 6b:a0:48:56:73:14:53:c4:0b:86:31:3f:37:f3:fa: dc:90:a1:f7:ff:ec:44:dd:98:31:81:23:85:5b:8e: bc:77:e9:e3:b4:54:9d:7c:91:68:68:b4:0c:a5:c3: 64:df:d9:66:8f:ec:1c:b8:83 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: AB:99:67:8D:27:83:EA:F7:E9:DD:B6:22:D0:D9:8B:2A:9E:3F:96:3E X509v3 Authority Key Identifier: keyid:AB:99:67:8D:27:83:EA:F7:E9:DD:B6:22:D0:D9:8B:2A:9E:3F:96:3E DirName:/C=US/ST=California/L=Redwood City/O=XIDAK, Inc./OU=MAINSAIL [EMAIL PROTECTED] serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 3c:7c:e1:a1:f7:5f:75:25:d9:d0:11:b0:01:86:2e:10:2b:ce: 08:af:5f:67:74:a9:18:fc:6d:8c:a8:cc:97:7b:73:6b:03:74: 73:0d:96:96:d4:fd:71:88:6d:91:bd:ec:de:f0:46:f5:92:7e: 21:c0:16:16:aa:9d:a3:07:a4:c3:c3:ba:82:ad:4f:5d:13:7f: f0:f3:2d:04:b5:d8:4c:24:27:d8:8e:7e:62:39:8f:e1:8c:3b: 93:1b:7a:37:8b:55:4c:7f:8b:77:06:a3:4b:a0:1e:b2:ef:52: 0a:e9:96:d5:7c:45:d1:76:dc:59:db:8b:83:07:1b:0c:e5:32: bd:1d -+-+-+-+ End -+-+-+-+
