1. try running netstat -l |grep LIST on your server and see if impas and pop3s are really listening . 2. i alwayes use S/SA as flags and not just S ( other list memebers - if this is wrong please correct me ) 3. don't know about xinetd and stunnel , all imap servers i used ( cyrus ) used tls/ssl support and not stunnel .
Moti From: "Thomas H. Jones II" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, August 28, 2002 2:45 PM Subject: Difficulty with SSL and ipfilter > Hi: > > Was hoping to find my answers in the archives, but could not. I tried > searching on "IMAP", "stunnel", and "ssl imap". Nothing relevant. So, > here's my story: > > I will soon be moving one of my Sendmail/POP/IMAP servers to a > firewalled environment. In preparation for this, I am using ipfilter > to simulate what changes I will need to make to my current, > unfirewalled system to make it play nicely in a firewalled > environment. > > For firewall host is Solaris 7 x86 running IP Filter 3.4.23 (I know, > out of date. If this turns out to be the issue, Ill upgrade). > > Thus far, SMTP, POP and IMAP work just fine with my filter and NAT > rules. However, SSL wrapped POP and IMAP do NOT work through the > firewall. > > I am using stunnel v3.22 (http://www.stunnel.org) to provide an SSL > wrapper for my IMAP service. This works fine on both the unfirewalled > host that I am trying to migrate from, as well as from hosts on the > same LAN as the firewalled IMAP/POP server. However, the SSL'ized IMAP > does not seem to work through the firewall, even though normal IMAP > does. > > my ipnat file is as follows: > > rdr elxl1 66.92.156.221/32 port ssh -> 192.168.22.222 port ssh > rdr elxl1 66.92.156.221/32 port smtp -> 192.168.22.222 port smtp > rdr elxl1 66.92.156.221/32 port pop3 -> 192.168.22.222 port pop3 > rdr elxl1 66.92.156.221/32 port imap -> 192.168.22.222 port imap > rdr elxl1 66.92.156.221/32 port imaps -> 192.168.22.222 port imaps > rdr elxl1 66.92.156.221/32 port pop3s -> 192.168.22.222 port pop3s > > my ipf file is as follows: > > block in proto icmp all > pass in proto icmp from any to any icmp-type echorep > pass out on elxl1 proto udp from any to any port = domain keep state > pass out on elxl1 proto udp from any to any port = ntp keep state > block return-rst in quick on elxl1 proto tcp from any to any port = > 111 > block in on elxl1 from any to any port 5999 >< 6100 > block in quick on elxl1 proto udp from any to any > pass in on elxl1 from 66.92.156.192/255.255.255.224 to any > pass in on elxl0 from 192.168.22.0/255.255.255.0 to any > pass out on elxl0 from 192.168.22.0/255.255.255.0 to any > pass out on elxl1 from 192.168.22.0/255.255.255.0 to any > pass in quick on elxl0 proto tcp from any to 192.168.22.222/32 port = > smtp flags S keep state > pass in quick on elxl0 proto tcp from any to 192.168.22.222/32 port = > pop3 flags S keep state > pass in quick on elxl0 proto tcp from any to 192.168.22.222/32 port = > imap flags S keep state > pass in quick on elxl0 proto tcp from any to 192.168.22.222/32 port = > imaps flags S keep state > pass in quick on elxl0 proto tcp from any to 192.168.22.222/32 port = > pop3s flags S keep state > > > When I snoop to see what's going on from an external connection, I get > the following: > > xx.yyy.com -> typhoon TCP D=993 S=58277 Syn Seq=1304956141 Len=0 > Win=64240 Options=<mss 1460,nop,nop,sackOK> > typhoon -> xx.yyy.com TCP D=58277 S=993 Syn Ack=1304956142 > Seq=3794488653 Len=0 Win=49640 Options=<mss 1460,nop,nop,sackOK> > xx.yyy.com -> typhoon TCP D=993 S=58277 Ack=3794488654 > Seq=1304956142 Len=0 Win=64240 > xx.yyy.com -> typhoon TCP D=993 S=58277 Push Ack=3794488654 > Seq=1304956142 Len=72 Win=64240 > typhoon -> xx.yyy.com TCP D=58277 S=993 Ack=1304956214 > Seq=3794488654 Len=0 Win=49568 > typhoon -> xx.yyy.com TCP D=58277 S=993 Push Ack=1304956214 > Seq=3794488654 Len=1107 Win=49568 > xx.yyy.com -> typhoon TCP D=993 S=58277 Ack=3794489761 > Seq=1304956214 Len=0 Win=63133 > xx.yyy.com -> typhoon TCP D=993 S=58277 Push Ack=3794489761 > Seq=1304956214 Len=7 Win=63133 > typhoon -> xx.yyy.com TCP D=58277 S=993 Ack=1304956221 > Seq=3794489761 Len=0 Win=49568 > xx.yyy.com -> typhoon TCP D=993 S=58277 Rst Seq=1304956221 Len=0 > Win=0 > xx.yyy.com -> typhoon TCP D=993 S=58277 Rst Seq=1304956221 Len=0 > Win=0 > > So, it APPEARS that the basic functionality is there. there's just one > piece missing, somewhere. Normally, the way that stunnel works is that > you connect to the secure IMAP port (993, as in the D= above). After > authenticating you, it then manages a connection to the real IMAP > service running on the localhost. All mail client server activity > should then take place through the tunnel. > > Oh, one last datapoint, this is the chunk of my xinetd configuration > controlling the IMAP service: > > service imaps > { > socket_type = stream > protocol = tcp > wait = no > user = root > server = /usr/local/sbin/stunnel > server_args = -p /usr/local/openssl/certs/stunnel.pem -l > /opt/sfw/sbin/imapd -- imapd > } > > Again, my config works for localhost connections; it works for > connections on the firewalled LAN. A nearly identical configuration > (without firewall) works for direct internet connected IMAP server. > NORMAL IMAP/POP traffic works either on the same LAN or through the > firewall. Only the SSL tunnel'ed IMAP/POP connections dont work. > > Any way, if anyone's solved this particular issue, help would be > GREATLY appreciated. > So, > -- > > Everyday, thousands of new cars are delivered to > their new owners with poorly-selected radio station > presets. > >
