At 07:00 PM 6/13/02, R. Damian Koziel wrote: >Greetings All. > >Statement of the Problem: Outlook 2000 fails to retrieve mail over SSL POP3 >using QPopper 4.0.4 > >Environment: Solaris 2.5.1 / QPopper 4.0.4 / OpenSSL 0.9.6b / Sendmail >8.12.3 / SASL 1.5.27 / Outlook 2000 / NT4 SP6a > >As I understand it, QPopper 4.0.4 contains support to use the 110 port for >both SSL/TLS and non-SSL/TLS connections. I can get QPopper 4.0.4 to work >with SSL/TLS over alternate port of 995 but since Norton AntiVirus E-Mail >scanning doesn't support any non-standard ports, I can't use >'tls-support=alternate-port'. >(My boss won't give this up this feature.)
Well, you can run a STLS invocation of Qpopper on port 110, and an alternate port version on port 995. The latter will work with Outlook, but if you choose to run the Norton proxy, you're screwed. You see, the TLS happens between outlook and the server, and using a proxy in the middle just can't work. Virus scanners SHOULD be plug-ins to mail clients, NOT proxy servers. Eudora with Norton works fine, by the way, without the use of a proxy. Since Eudora stores the email attachments separate from the mail folders, it triggers virus scans when it tries to write virus-laden attachments to disk. I've found this quite effective. I've also been using virus scanning on the server with very good results. We're offering the scripts to interested parties (no, sorry, not for free since we've incurred plenty of expense to do it right). >---------------------------------------------------------------------------- >------------------------------------- >[Symantec Knowledge Base Article] > >Does Norton AntiVirus email scanner scan email downloaded by an Internet >service provider using Secured Socket Layer? > >Situation: > >You have an Internet service provider (ISP) that uses the Secured Socket >Layer (SSL) protocol to download email to its incoming POP3 server. When you >configure Norton AntiVirus (NAV) email scanning to scan email attachments, >the program does not appear to scan email attachments > >Solution: > >NAV email scanning does not work with an ISP that is using the SSL protocol. >Also, NAV email scanning will only scan email that arrives on default ports >110 or 25. > >---------------------------------------------------------------------------- >------------------------------------- > >Some solution.... > >So, I make the following config: > >/etc/mail/pop/qpopper.config: >set tls-support = stls >set tls-server-cert-file = /etc/mail/certs/CAcert.pem >set tls-private-key-file = /etc/mail/certs/CAkey.pem > > >/etc/services: >pop3 110/tcp # Post Office > >/etc/inetd.conf: >pop3 stream tcp nowait root /usr/local/sbin/popper -l1 -p2 -f >/etc/mail/pop/qpopper.config > >Outlook 2000: > >Tools / Options / Mail Delivery / Accounts / Properties / Servers >[ENABLED "My server requires authentication"] > >Tools / Options / Mail Delivery / Accounts / Properties / Advanced > >[Outgoing Mail (SMTP) 25] >[ENABLED "This server requires a secure connection (SSL"] > >[Incoming Mail (POP3) 110] >[ENABLED "This server requires a secure connection (SSL"] > >Tools / Options / Mail Delivery / Accounts / Properties / Security / >Settings / Signing Certificate >[This is the personal certificate signed by self-signed CA.] > > >CA Certficate: (See end of Post) > >Outbound SSL on port 25 through Outlook works fine so there's nothing wrong >with the certificate. When I attempt the POP, a successful connection is >never made. > >QPopper tracefile shows: >[5802] Set tls-support to STLS (2) >[5802] Set tls-server-cert-file to "/etc/mail/certs/CAcert.pem" >[5802] Set tls-private-key-file to "/etc/mail/certs/CAkey.pem" >[5802] (null) at adsl-63-197-28-194.dsl.snfc21.pacbell.net >(63.197.28.194): -ERR Unknown command: "". >[5802] (null) at adsl-63-197-28-194.dsl.snfc21.pacbell.net >(63.197.28.194): -ERR POP EOF or I/O Error > >When I monitor the connection with 'ssldump' I see: > >Unknown SSL content type 43 >3 0.0526 (0.0477) C>S TCP FIN >3 2 0.0547 (0.0021) S>CShort record >Unknown SSL content type 45 >3 3 0.0554 (0.0006) S>CShort record > >I posted this error message to openssl-users and got back the follwing >response from >Eric Rescorla (Author of 'SSL and TLS: Designing and Building Secure >Systems' >[http://www.amazon.com/exec/obidos/ASIN/0471383546/ref=pd_sxp_elt_l1/002-897 >2619-4150440] so I'm willing to accept it face value. > >... > >As for what's going on, are you sure that the POP3 server is listening >with SSL on port 110? The POP3S port appears to be 995, not 110. >My guess would be that what's listening on port 110 is normal POP. Try >telnetting to port 110 to see if you get the POP banner. If so >that's what's going on. > >.... > >Well, the answer was 'yes', because I had 'set-tls-support=stls' and used >the '-l1 -p2' switches in inetd.conf. My brain tells me that this should've >worked. > >Did I put on my stupid hat again? Can this work? What did I do wrong? > >R. Damian Koziel > > >Complete ssldump log: > >New TCP connection #3: talos(1337) <-> mail.xidak.com(110) >3 1 0.0049 (0.0049) C>SV3.1(91) Handshake > ClientHello > Version 3.1 > random[32]= > ec 93 7b b3 2f d8 7c cf 83 d4 c9 b1 10 d2 26 c4 > 44 a2 7d cb 0d a2 da f1 cb f6 98 49 f8 ea 8a c0 > resume [32]= > 47 d9 cb c1 ce bd 49 23 7d a1 0e b5 c8 74 6d 06 > 0d 2e 94 48 85 df a9 c5 fe bc bb 0b 69 f1 19 6c > cipher suites > TLS_RSA_WITH_RC4_128_MD5 > TLS_RSA_WITH_RC4_128_SHA > TLS_RSA_WITH_3DES_EDE_CBC_SHA > TLS_RSA_WITH_DES_CBC_SHA > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA > TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA > TLS_RSA_EXPORT_WITH_RC4_40_MD5 > TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > compression methods > NULL >Unknown SSL content type 43 >3 0.0526 (0.0477) C>S TCP FIN >3 2 0.0547 (0.0021) S>CShort record >Unknown SSL content type 45 >3 3 0.0554 (0.0006) S>CShort record >New TCP connection #4: talos(1339) <-> mail.xidak.com(110) >4 1 0.0051 (0.0051) C>S SSLv2 compatible client hello > Version 128.1 > cipher suites >Unknown SSL content type 43 >Unknown SSL content type 128 >4 2 1.0488 (1.0436) C>SShort record >4 1.0488 (0.0000) C>S TCP FIN >4 3 1.0509 (0.0020) S>CShort record >Unknown SSL content type 45 >4 4 1.0516 (0.0006) S>CShort record >New TCP connection #5: talos(1340) <-> mail.xidak.com(110) >5 1 0.0104 (0.0104) C>SV3.0(59) Handshake > ClientHello > Version 3.0 > random[32]= > 45 96 d8 ca 1d af 23 79 5a eb 45 8a 44 ab e1 73 > 16 f0 8a 1f e9 ee 2c 81 93 13 e5 0f 40 db 0c 80 > cipher suites > SSL_RSA_WITH_RC4_128_MD5 > SSL_RSA_WITH_RC4_128_SHA > SSL_RSA_WITH_3DES_EDE_CBC_SHA > SSL_RSA_WITH_DES_CBC_SHA > SSL_RSA_EXPORT1024_WITH_RC4_56_SHA > SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA > SSL_RSA_EXPORT_WITH_RC4_40_MD5 > SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 > compression methods > NULL >Unknown SSL content type 43 >5 1.0444 (1.0340) C>S TCP FIN >5 2 1.0466 (0.0022) S>CShort record >Unknown SSL content type 45 >5 3 1.0473 (0.0007) S>CShort record >New TCP connection #6: talos(1341) <-> mail.xidak.com(110) >Version 2 Client. >6 1.0493 (1.0493) C>S TCP FIN > > > >Certificate: > Data: > Version: 3 (0x2) > Serial Number: 0 (0x0) > Signature Algorithm: md5WithRSAEncryption > Issuer: C=US, ST=California, L=Redwood City, O=XIDAK, Inc., >OU=MAINSAIL Technology, [EMAIL PROTECTED] > Validity > Not Before: Jun 12 20:10:34 2002 GMT > Not After : Jun 12 20:10:34 2003 GMT > Subject: C=US, ST=California, L=Redwood City, O=XIDAK, Inc., >OU=MAINSAIL Technology, [EMAIL PROTECTED] > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (1024 bit) > Modulus (1024 bit): > 00:e0:17:5b:f6:7d:d0:0f:aa:3e:82:dc:b0:0b:7c: > c8:64:97:85:e4:bb:7e:6f:64:21:b9:fa:92:cb:c7: > 83:8b:db:13:c0:ef:73:f7:ad:a1:bc:7c:11:95:f6: > 97:0e:bd:a9:30:b3:a6:1b:15:5b:fa:af:9b:9e:a3: > 82:41:94:42:f5:62:f2:57:8c:85:63:d9:89:d7:81: > 6b:a0:48:56:73:14:53:c4:0b:86:31:3f:37:f3:fa: > dc:90:a1:f7:ff:ec:44:dd:98:31:81:23:85:5b:8e: > bc:77:e9:e3:b4:54:9d:7c:91:68:68:b4:0c:a5:c3: > 64:df:d9:66:8f:ec:1c:b8:83 > Exponent: 65537 (0x10001) > X509v3 extensions: > X509v3 Subject Key Identifier: > AB:99:67:8D:27:83:EA:F7:E9:DD:B6:22:D0:D9:8B:2A:9E:3F:96:3E > X509v3 Authority Key Identifier: > >keyid:AB:99:67:8D:27:83:EA:F7:E9:DD:B6:22:D0:D9:8B:2A:9E:3F:96:3E > DirName:/C=US/ST=California/L=Redwood City/O=XIDAK, >Inc./OU=MAINSAIL [EMAIL PROTECTED] > serial:00 > > X509v3 Basic Constraints: > CA:TRUE > Signature Algorithm: md5WithRSAEncryption > 3c:7c:e1:a1:f7:5f:75:25:d9:d0:11:b0:01:86:2e:10:2b:ce: > 08:af:5f:67:74:a9:18:fc:6d:8c:a8:cc:97:7b:73:6b:03:74: > 73:0d:96:96:d4:fd:71:88:6d:91:bd:ec:de:f0:46:f5:92:7e: > 21:c0:16:16:aa:9d:a3:07:a4:c3:c3:ba:82:ad:4f:5d:13:7f: > f0:f3:2d:04:b5:d8:4c:24:27:d8:8e:7e:62:39:8f:e1:8c:3b: > 93:1b:7a:37:8b:55:4c:7f:8b:77:06:a3:4b:a0:1e:b2:ef:52: > 0a:e9:96:d5:7c:45:d1:76:dc:59:db:8b:83:07:1b:0c:e5:32: > bd:1d > >-+-+-+-+ End -+-+-+-+ ----------------------------------------------------------------- Daniel Senie [EMAIL PROTECTED] Amaranth Networks Inc. http://www.amaranth.com
