On Mon, 6 Dec 1999, Aviram Jenik wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Ira, you mentioned SSLpop a few days ago. What is it? Where can I
> find it?
> I looked all over the place and all I could find is a reference to a
> wish list (something like: "some day we would like to implement
> SSLPop...").
digging up linux-security... from September 20-24 of this year, the
following is a digest.
-------------------------------
If you want to encrypt pop or imap access, then I would suggest
using SSL encrypted pop (pop3s) or SSL encrypted imaps (imaps). You can
do this with your standard pop and imap servicers using an encrypting
wrapper such as sslproxy, edssl, or stunnel. These can be found by
following the links up at the OpenSSL site, <http://www.openssl.org>.
You're going to need OpenSSL to make it work as well (their the crypto
libraries).
Outlook Express, Netscape, and numerous other Windows clients
already have built-in support for SSL encrypted pop and/or SSL encrypted
imap. You just have to check the preferences box for "encrypt connections".
Examples of what I did to configure pop3s and imaps:
Add this to /etc/services:
imaps 993/tcp
pop3s 995/tcp
Set up this in /etc/inetd.conf:
pop-3 stream tcp nowait root /usr/sbin/tcpd ipop3d
imap stream tcp nowait root /usr/sbin/tcpd imapd
imaps stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p imap
pop3s stream tcp nowait root /usr/sbin/tcpd sslproxy -t 3600 -p pop-3
Obviously, I'm using sslproxy. I've used edssl, and tried stunnel
but never got stunnel to work for me. Sslproxy is easy but doesn't support
some features like client side certificates like edssl does.
If you want to retrieve mail to a Linux client workstation using
SSL encrypted pop or imap, I highly recommend fetchmail-ssl. It's available
from the North American Cryptographic Archives <http://www.cryptography.org>
in the SSL subdirectory. I wrote the SSL patches for fetchmail and released
it (with Eric Raymonds consent) through the archives. Since Eric and I both
live in the "Land of the Freeh" (sic) we can't, ourselves, release it in
a more general form or distribution.
---------------------------------------------------------------------------
From: Frank Derichsweiler <[EMAIL PROTECTED]>
Try to use channel forwarding within ssh. Details are within the shh
docs. Unfortunately there is only a free ssh1 client for wind*** ...
HTH
Frank
---------------------------------------------------------------------------
From: Przemek Klosowski <[EMAIL PROTECTED]>
There also exist SSL-encrypted POP and IMAP specs. Here's a list of services
that use SSL:
ssmtp 465/tcp # SMTP over SSL
snews 563/tcp # NNTP over SSL
ssl-ldap 636/tcp # LDAP over SSL
simap 993/tcp # IMAP over SSL
spop3 995/tcp # POP-3 over SSL
Netscape at least from version 4.51 up allows SSL-based IMAP
connections. I don't know about other mail clients.
---------------------------------------------------------------------------
From: "Nick Gotsinas" <[EMAIL PROTECTED]>
http://www.linuxdoc.org/HOWTO/mini/Secure-POP+SSH.html
I heven't tried it yet but it looks like it works.
---------------------------------------
> One "digest" answer on the list.
The digest doesn't really discuss the option of tunnelling POP through
SSH, which is what our University department does. I have a Linux
client, so I just forward some local ports to remote ports with this
command:
ssh -C -l crispin -f \
-L 6666:mailhost.your.place.foo:110 \
-L 6667:mailhost.your.place.foo:25 \
mailhost.your.place.foo xbiff
For windows clients, we have people using the commercial Data Fellows
SSH client for Windows, which also can forward ports. The windows
users whine that it can't automatically open the port forwarding when
the click their mail client, but that's the only complaint.
The advantage over the SSL solution is that the SSH daemon is
relatively easy to set up. However, if your site already has SSL
support, then this issue is moot.
--------------------------------------------------------------------------
DOCUMENTATION: HOW-TO SSLWRAP, SSLEAY OR OPENSSL
INTRODUCTION
SSLeay and OpenSSL is used to generate the required
certificates. SSLwrap (run out of inetd) is used to encrypt pop3, imap
or smtp services. Both SSLeay and OpenSSL would be discussed on how to
generate a self-sign certificate.
SSLeay (vers. SSLeay-0.9.0b-4.i386.rpm)
Primary purpose here is to generate a cert. {note: the following
directories/files locations are created from RPM packages on RH6.0. On
tar compressed files the certs, req and x.509 might be in different
locations.}
Before running the below commands, please take note the
following. After generating the cert, you would be required to fill in
some fields such as name, country and e-mail etc. Take extra caution
when filling in the "Common Name (eg, Your name)[]" field. Here, enter
the host name of the mail server (assuming it's for pop/imap). The
hostname here must match the hostname of the mail server filled at the
e-mail client (i.e the POP field where the mail server name is
recorded). If the name do not match, a warning dialog box would pop
up. The link is still encrypted but it would be a nuisance to the
users who have to endure the persistent warning dialog box.
Command:
cd /var/ssl/certs/
/usr/bin/req -new -x509 -nodes -out server.pem -keyout server.pem -days 365
ln -s server.pem '/usr/bin/x509 -noout -hash < server.pem'.0
A file (server.pem) would be generated from the command in line 2
above. Chmod the server.pem file (600) in order to restrict
access. Note also that the server cert would only be effective the
next day. As a test, forward your PC date by one day and test it.
OpenSSL (vers. openssl-0.9.3a.tar.gz)
**vers. Openssl-0.9.4 is out. But of current writing, SSLwrap only supports
0.9.3a)**
The steps are (and *warnings too*:)) are the same as before. The
commands are slightly changed however.
Use tar to decompress the file to /usr/local/src/ {preference is yours
in here} A directory called openssl-0.9.3a would be created. Inside
here do a :
/config
make
make test
make install
(all the above are documented in the INSTALL file).
To generate a cert, do the following: {note the directories are
changed compared to SSLeay }.
Command:
cd /usr/local/ssl/certs/
/usr/local/ssl/bin/openssl req -new -x509 -nodes -out server.pem -keyout
server.pem -days 365
ln -s server.pem '/usr/local/ssl/bin/openssl x509 -noout -hash < server.pem'.0
Again, a server cert (server.pem) would be generated. Chmod the file
(600) to restrict access to it.
SSLwrap (vers. SSLwrap-2.02-2.i386.rpm)
Requirement: SSLeay (or OpenSSL 0.93a), ld-linux.so.2, libc.so.6,
libcrypto.so.0, libssl.so.0
** The latest SSLwrap version is 2.1.0 {tar format}; recommended to be used**
Read the docs.html first (/usr/doc/). Again note that the file
structure/location specified here (in accordance with RPM) might
differ from the tar file and also in the doc.html.
SSLwrap runs out of Inetd. It can be run as a daemon but not advised
(see docs.html for more info). Two files needs to be configured here,
the inetd.conf (at /etc) and services (at /etc).
Add the following at services:
pop3s 995/tcp
Or if you're using imap;
imaps 993/tcp
Add the following at inetd.conf
{pop3s stream tcp nowait sslwrap /usr/sbin/tcpd /usr/sbin/sslwrap
-cert /var/ssl/certs/server.pem -port 110}
Take careful note on the above paths. Also note pop3s. It should be in
accordance with what you specified at the /etc/services file. If RPM
SSLwrap is used, all the above would be written in. However, RPM
SSLwrap is using pop3s, whereas the default /etc/services already has
spop3. The services file would not be re-written. In this case SSLwrap
would not worked. Hence, changed the spop3 in the /etc/services file
to pop3s or change the inetd.conf file.
Also note the owner sslwrap. From the docs.html, it is advised to
create a user called sslwrap with access rights like nobody for
security reasons.
Please e-mail me if I made any mistake. Thx.
E-mail: [EMAIL PROTECTED]
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
