I am unable to successfully retrieve email using OpenSSL with Qpopper.
My three questions are:
1. Has anyone successfully implemented OpenSSL with Qpopper running on
SunOS 5.7? If so, is there anything special I should know?
2. Can anyone tell from the information below if I've configured something
incorrectly on my POP server, or does the solution to my problem require
"taking the engine apart" (getting inside the OpenSSL and/or Qpopper code)?
3. Does this appear to be a client issue, server issue, or incompatibility
between the two?
I've already spent quit a bit of time under the hood and am not too
experienced at taking engines apart. Any thoughts or insights would be
greatly appreciated. Summary and Details below.
Thanks,
Jeff West
Postmaster
** Information found between tilde's (~) is proprietary and has been changed.
SUMMARY
=======
I am unable to retrieve mail when using SSL to connect to Qpopper over a
LAN. When Eudora is used, there are no errors. Eudora simply reports that
I have no new mail (when in fact there is). When Outlook Express is used,
a somewhat generic error message is displayed (see below). If I turn SSL
off in the email clients (leaving it enabled on the server), both retrieve
mail without any problems.
When SSL is turned on in the clients, I believe I've been able to isolate
the errors in the pop log (see below). Eudora and Outlook Express are
producing different errors in the pop log. Eudora is apparently sending
the QUIT command before it is suppose to. Qpopper seems to perceive a
premature QUIT as a possible intruder, but ends the SSL and POP connection
gracefully. Outlook Express seems to send a garbled CAPA command. Here
again both the SSL and POP connection are terminated gracefully by the
server - which seems to be what is causing the Outlook Express error message.
I started this project a couple of weeks ago using version 4.0.4 of Qpopper
and version 0.9.6e of OpenSSL and have since upgraded to versions 4.0.5b1
and 0.9.6g respectively with no change in this behavior.
I'm fairly certain my certificates are in order, but I know of no way to
confirm this other than using the email clients to check mail. I did
receive cert-related errors when I first began, but I resolved those
problems and am no longer receiving any certificate-related errors.
DETAILS
=======
Server Side Software
-----------------------
Qpopper 4.0.5b1
OpenSSL 0.9.6g
GCC 3.1
Random 0.7
Perl 3.1
SunOS 5.7
Client Side Software
-----------------------
Win 2000 Pro 5.0 SP3
Outlook Express 6.00.2800.1106
Eudora 5.1.1
Server Side Certificate
-----------------------
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=~OurState~, L=~OurCity~, O=~OurCompanyName, OU=HQ,
CN=~FQDNServerHost~/Email=~[EMAIL PROTECTED]~
Validity
Not Before: Nov 5 21:32:44 2002 GMT
Not After : Nov 5 21:32:44 2003 GMT
Subject: C=US, ST=~OurState~, L=~OurCity~, O=~OurCompanyName~, OU=HQ,
CN=~FCDNServerHost/Email=~[EMAIL PROTECTED]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ad:8a:1b:ed:93:8b:ab:0e:36:60:82:54:cb:78:
c3:40:d5:1d:c8:a3:47:ca:67:fd:d4:02:89:83:e7:
7f:3b:50:4b:ea:84:73:92:05:a9:9a:03:29:7b:46:
8f:9b:83:67:a9:de:e6:02:27:5b:28:97:ad:80:b9:
23:8a:78:8a:9e:02:ef:04:6d:a8:b7:98:81:35:de:
9c:06:11:69:1f:65:a4:96:a9:eb:e4:2a:b9:67:36:
19:dc:83:d7:47:07:f5:81:40:7d:e0:ce:19:e3:4a:
b2:38:de:73:ba:f1:26:6c:24:90:01:24:3f:d8:f4:
4f:ae:5b:06:6c:84:96:16:21
Exponent: 65537 (0x10001)
Signature Algorithm: md5WithRSAEncryption
04:d2:c8:57:9e:88:59:f4:bb:3a:e6:a9:99:c5:d2:b3:d9:08:
ac:85:25:5b:99:07:eb:97:d6:68:c2:84:0b:7f:db:b2:34:99:
ff:45:5d:87:d3:ed:21:54:99:c5:0d:78:d1:f5:28:ed:de:70:
a7:84:98:c8:48:d8:8e:f1:58:bc:44:04:29:48:b8:8d:7f:35:
1a:63:fd:5a:76:56:ef:57:3e:3c:a5:d1:9c:05:9a:1d:11:7a:
17:4a:68:d1:83:47:b0:e9:c4:63:04:3e:44:e5:b2:60:f4:ad:
3c:77:96:0a:b8:e5:cd:c4:9a:7f:f9:99:0b:7a:44:13:72:95:
df:72
Error message (in a dialog box) returned by Outlook Express - This message
is returned immediatly
------------------------------------------------------------------------
Your server has unexpectedly terminated the connection. Possible causes for
this include server problems, network problems, or a long period of
inactivity. Account: 'At Work', Server: '~serverhostname.ourdomain.com~',
Protocol: POP3, Port: 110, Secure(SSL): Yes, Error Number: 0x800CCC0F
The pop.log has the following entries when an attempt to check mail w/SSL
from Outlook Express is made. Please note line 25 - a garbled CAPA command
seems to have been sent by Outlook Express.
------------------------------------------------------------------------
1. Trace and Debug destination is file "/var/mail/pop.log" [pop_config.c:1144]
2. ...read line 2 (20): set tls-support=stls [pop_config.c:1370]
3. Set tls-support to STLS (2) [pop_config.c:1234]
4. ...read line 3 (49): set tls-server-cert-file=/etc/mail/certs/cert.pem
[pop_config.c:1370]
5. Set tls-server-cert-file to "/etc/mail/certs/cert.pem" [pop_config.c:1250]
6. Finished processing config file '/etc/mail/pop/popper.conf'; rslt=1
[pop_config.c:1518]
7. (v4.0.5b1) Servicing request from "~clienthostname.ourdomain.com~" at
~99.99.99.99~ [pop_init.c:1174]
8. before TLS; tls_support==2 [popper.c:181]
9. ...Initializing OpenSSL library (version OpenSSL 0.9.6g 9 Aug 2002)
[pop_tls_openssl.c:230]
10. ...have /dev/urandom; skipping PRNG seeding [pop_tls_openssl.c:288]
11. ...setting method to SSLv23_server_method [pop_tls_openssl.c:312]
12. ...allocating OpenSSL context [pop_tls_openssl.c:342]
13. ...setting certificate file /etc/mail/certs/cert.pem
[pop_tls_openssl.c:363]
14. ...private key file not set; assuming private key is in cert
(/etc/mail/certs/cert.pem) [pop_tls_openssl.c:380]
15. ...setting private key file /etc/mail/certs/cert.pem
[pop_tls_openssl.c:384]
16. ...verifying private key against certificate [pop_tls_openssl.c:397]
17. ...(tls_cipher_list not specified) [pop_tls_openssl.c:424]
18. ...allocating OpenSSL connection [pop_tls_openssl.c:435]
19. ...setting input (0) and output (0) file descriptors
[pop_tls_openssl.c:446]
20. ...successfully completed OpenSSL initialization [pop_tls_openssl.c:465]
21. TLS Init [popper.c:202]
22. (v4.0.5b1) Intro [popper.c:247]
23. +OK Qpopper (version 4.0.5b1) at ~serverhostname.ourdomain.com~
starting. [popper.c:260]
24. Qpopper ready for input from (null) at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
25. Received (5): "�j" [pop_get_command.c:105]
26. (null) at ~clienthostname.ourdomain.com~ (~99.99.99.99~): -ERR Unknown
command: "�j". [pop_get_command.c:152]
27. Qpopper ready for input from (null) at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
28. (null) at ~clienthostname.ourdomain.com~ (~99.99.99.99~): -ERR POP EOF
or I/O Error [popper.c:820]
29. +OK Pop server at ~serverhostname.ourdomain.com~ signing off.
[popper.c:360]
30. I/O error flushing output to client at ~clienthostname.ourdomain.com~
[~99.99.99.99~]: Broken pipe (32) [pop_send.c:689]
31. pTLS->m_pPOP->tls_started == false [pop_tls_openssl.c:823]
32. freeing m_OpenSSLconn [pop_tls_openssl.c:827]
33. freeing m_OpenSSLctx [pop_tls_openssl.c:833]
34. openssl_shutdown returning 0 [pop_tls_openssl.c:838]
35. (v4.0.5b1) Ending request from "" at (~clienthostname.ourdomain.com~)
~99.99.99.99~ [popper.c:378]
36. (v4.0.5b1) Timing for @~clienthostname.ourdomain.com~ (error) auth=0
init=0 clean=0 [popper.c:384]
The pop.log has the following entries when an attempt to check mail w/SSL
from Eudora is made. Please note lines 51 and 52. It appears as if Eudora
issued a QUIT command before it was suppose to.
------------------------------------------------------------------------
1. Trace and Debug destination is file "/var/mail/pop.log" [pop_config.c:1144]
2. ...read line 2 (20): set tls-support=stls [pop_config.c:1370]
3. Set tls-support to STLS (2) [pop_config.c:1234]
4. ...read line 3 (49): set tls-server-cert-file=/etc/mail/certs/cert.pem
[pop_config.c:1370]
5. Set tls-server-cert-file to "/etc/mail/certs/cert.pem" [pop_config.c:1250]
6. Finished processing config file '/etc/mail/pop/popper.conf'; rslt=1
[pop_config.c:1518]
7. (v4.0.5b1) Servicing request from "~clienthostname.ourdomain.com~" at
~99.99.99.99~ [pop_init.c:1174]
8. before TLS; tls_support==2 [popper.c:181]
9. ...Initializing OpenSSL library (version OpenSSL 0.9.6g 9 Aug 2002)
[pop_tls_openssl.c:230]
10. ...have /dev/urandom; skipping PRNG seeding [pop_tls_openssl.c:288]
11. ...setting method to SSLv23_server_method [pop_tls_openssl.c:312]
12. ...allocating OpenSSL context [pop_tls_openssl.c:342]
13. ...setting certificate file /etc/mail/certs/cert.pem
[pop_tls_openssl.c:363]
14. ...private key file not set; assuming private key is in cert
(/etc/mail/certs/cert.pem) [pop_tls_openssl.c:380]
15. ...setting private key file /etc/mail/certs/cert.pem
[pop_tls_openssl.c:384]
16. ...verifying private key against certificate [pop_tls_openssl.c:397]
17. ...(tls_cipher_list not specified) [pop_tls_openssl.c:424]
18. ...allocating OpenSSL connection [pop_tls_openssl.c:435]
19. ...setting input (0) and output (0) file descriptors
[pop_tls_openssl.c:446]
20. ...successfully completed OpenSSL initialization [pop_tls_openssl.c:465]
21. TLS Init [popper.c:202]
22. (v4.0.5b1) Intro [popper.c:247]
23. +OK Qpopper (version 4.0.5b1) at ~serverhostname.ourdomain.com~
starting. [popper.c:260]
24. Qpopper ready for input from (null) at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
25. Received (4): "CAPA" [pop_get_command.c:105]
26. capa returned 1; CurrentState now auth1 [popper.c:338]
27. Qpopper ready for input from (null) at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
28. Received (4): "STLS" [pop_get_command.c:105]
29. +OK STLS [pop_extend.c:183]
30. Attempting OpenSSL handshake [pop_tls_openssl.c:514]
31. tls accept returned 1 [pop_tls_openssl.c:517]
32. SSL_get_error says SSL_ERROR_NONE (0) [pop_tls_openssl.c:524]
33. (v4.0.5b1) TLSv1/SSLv3 handshake with client at
~clienthostname.ourdomain.com~ (~99.99.99.99~); new session-id; cipher:
DES-CBC3-SHA (DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1), 168
bits [pop_tls_openssl.c:530]
34. pop_stls returning 1 [pop_extend.c:199]
35. stls returned 1; CurrentState now auth1 [popper.c:338]
36. Qpopper ready for input from (null) at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
37. tls read start 2048 ffbeee58 [pop_tls_openssl.c:595]
38. tls read 15 55 53 [pop_tls_openssl.c:599]
39. SSL_get_error says SSL_ERROR_NONE (0) [pop_tls_openssl.c:603]
40. Received (13): "USER testuser" [pop_get_command.c:105]
41. home (21): '/export/home/testuser' [pop_user.c:218]
42. +OK Password required for testuser. [pop_user.c:431]
43. tls write start 37 ffbef66c [pop_tls_openssl.c:690]
44. tls write 37 2b 4f [pop_tls_openssl.c:694]
45. SSL_get_error says SSL_ERROR_NONE (0) [pop_tls_openssl.c:698]
46. user returned 1; CurrentState now auth2 [popper.c:338]
47. Qpopper ready for input from testuser at ~clienthostname.ourdomain.com~
[~99.99.99.99~] [popper.c:294]
48. tls read start 2048 ffbeee58 [pop_tls_openssl.c:595]
49. tls read 6 51 55 [pop_tls_openssl.c:599]
50. SSL_get_error says SSL_ERROR_NONE (0) [pop_tls_openssl.c:603]
51. Received (4): "QUIT" [pop_get_command.c:105]
52. Possible probe of account testuser from host
~clienthostname.ourdomain.com~ (~99.99.99.99~) [pop_quit.c:29]
53. quit returned 1; CurrentState now halt [popper.c:338]
54. +OK Pop server at ~serverhostname.ourdomain.com~ signing off.
[popper.c:360]
55. tls write start 61 ffbef66c [pop_tls_openssl.c:690]
56. tls write 61 2b 4f [pop_tls_openssl.c:694]
57. SSL_get_error says SSL_ERROR_NONE (0) [pop_tls_openssl.c:698]
58. tls shutdown returned 0 [pop_tls_openssl.c:779]
59. SSL_get_error says SSL_ERROR_SYSCALL (5) [pop_tls_openssl.c:783]
60. TLS shutdown Error [pop_tls_openssl.c:805]
61. freeing m_OpenSSLconn [pop_tls_openssl.c:827]
62. freeing m_OpenSSLctx [pop_tls_openssl.c:833]
63. openssl_shutdown returning -1 [pop_tls_openssl.c:838]
64. (v4.0.5b1) Ending request from "testuser" at
(~clienthostname.ourdomain.com~) ~99.99.99.99~ [popper.c:378]
65. (v4.0.5b1) Timing for testuser@~clienthostname.ourdomain.com~ (normal)
auth=0 init=0 clean=0 [popper.c:384]
- Re: Cannot Retrieve Email Using OpenSSL With Qpopper Jeff West
- Re: Cannot Retrieve Email Using OpenSSL With Qpopper Randall Gellens
