Re: [Dovecot] Enabling security on POP3 and IMAP

[Ed W]

Charles Marcus wrote:

On 9/28/2009, Richard Hobbs (richard.ho...@crl.toshiba.co.uk) wrote:
  

One question though... before I accept the certificate, i get warnings.
One says the cert is not trusted (which is fine - it's self-signed). The
other warning, however, mentions a hostname mismatch. Is there any way
to put all of the hostnames we'll ever use into that certificate, so
regardless of whether people are access "mail.domain", "pop3.domain" or
"imap.domain", the hostname mismatch does not occur?



There is a way to add 'alternate names', but I don't think TBird (or
most other Clients) will recognize them. 


Actually, I find them fully supported on all the clients I tried! (Not 
that many to be fair)


I am using a godaddy cert with multiple names and it's working just find 
and dandy with Thunderbird and Apple Mail for example.  I believe others 
have reported success with various microsoft PDA's also (which is 
encouraging)


Godaddy simply had the cheapest cert when I was looking around, but you 
still pay many $10s for a cert with 5 or so extra aliases


Wildcard certs may also work for you if you are *.domain, but in my case 
I needed various domain1.com domain2.com type options



Good luck

Ed W

Re: [Dovecot] Enabling security on POP3 and IMAP

[Charles Marcus]

On 9/28/2009, Richard Hobbs (richard.ho...@crl.toshiba.co.uk) wrote:
> One question though... before I accept the certificate, i get warnings.
> One says the cert is not trusted (which is fine - it's self-signed). The
> other warning, however, mentions a hostname mismatch. Is there any way
> to put all of the hostnames we'll ever use into that certificate, so
> regardless of whether people are access "mail.domain", "pop3.domain" or
> "imap.domain", the hostname mismatch does not occur?

There is a way to add 'alternate names', but I don't think TBird (or
most other Clients) will recognize them. You could also create a
wildcard self-signed cert, but I think TBird will still give that error...

Of course, for TBird, you could install the 'remember mismatched
domains' extension so you can make that 'error' go away...

-- 

Best regards,

Charles

Re: [Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

Sorry people - i'm an idiot! ;-)

I was testing against our new hostnames that we setup for the new mail
server. Trouble was - these hostnames were setup initially to point at
the old mail server and are still doing so.

Having tested against the new mail server's IP address, everything works
fine!

One question though... before I accept the certificate, i get warnings.
One says the cert is not trusted (which is fine - it's self-signed). The
other warning, however, mentions a hostname mismatch. Is there any way
to put all of the hostnames we'll ever use into that certificate, so
regardless of whether people are access "mail.domain", "pop3.domain" or
"imap.domain", the hostname mismatch does not occur?

Thanks again!

Richard.


Richard Hobbs wrote:
> Hello,
> 
> Sorry people - my problem is actually the opposite of what I wrote
> below... POP3 gives no encryption options whatsoever, and IMAP defaults
> correctly, but still gives the option for no encryption.
> 
> Also, the SSL section of dovecot.conf is here: http://pastebin.ca/1582348
> 
> Thanks again!
> 
> Richard.
> 
> 
> Richard Hobbs wrote:
>> Hello,
>>
 Is it possible to offer encrypted and non-encrypted services
 simultaneously, so people have a choice of whether they want
 security or not? I know that's a bit weird, but for testing
 it would be useful.
>>> No problem. Basically you just need to specify the certificate
>>> (ssl_cert_file) and the key (ssl_key_file) in the config, and
>>> add 'imaps' and 'pop3s' to 'protocols'.
>> Thanks for the advice... however, it has only partially worked.
>>
>> When i "check what the server supports" in Kmail when setting up a new
>> account in my email client, for POP3, it says it supports None, SSL and
>> TLS and defaults to TLS, and auth methods are Clear text and Plain.
>>
>> Is there a way to get rid of the "None" method for encryption? I do not
>> have "pop3" in the protocols line - only "pop3s".
>>
>> As for IMAP, the problem is worse... all i get for IMAP is "No
>> encryption with clear text passwords". SSL/TLS just doesn't seem to be
>> an option for IMAP despite "imaps" being in the protocols line and
>> "imap" *not* being there.
>>
>> For both these tests, rightly or wrongly, i used the standard ports (110
>> for POP3, 143 for IMAP). I know SSL typically operates on higher ports
>> numbers, at least for IMAP, but I dont' know how this all works when you
>> turn off non-encrypted protocols.
>>
>> Any advice gratefully received!
>>
>> Thanks again,
>> Richard.
>>
>>
>> Patrick Nagel wrote:
>>> Hi Richard,
>>>
>>> On 2009-09-03 16:38, Richard Hobbs wrote:
 Currently, on our new test server, I am offering IMAP on 143 and POP3 on
 110.
 We would like to enable security on both of these protocols to attempt
 to eliminate the risk from an internal
 password-grabbing/content-grabbing attack.
 I presume this would mean enabling SSL, and a more securure
 authentication, right? Or are plain text passwords just sent over the
 SSL, and therefore perfectly secure?
>>> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
>>> secured before the password is sent.
>>>
 Also, what are the steps to enable security for these protocols on an
 already-configured server?
 Is it possible to offer encrypted and non-encrypted services
 simultaneously, so people have a choice of whether they want security or
 not? I know that's a bit weird, but for testing it would be useful.
>>> No problem. Basically you just need to specify the certificate 
>>> (ssl_cert_file)
>>> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
>>> 'protocols'.
>>>
 Finally, is there a way to monitor which users are connecting over the
 secure ports and which users are connecting over the non-secure ports?
>>> You can see it in the log.
>>>
>>> Patrick.
>>>
>> __
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email
>> __
>>
>>
>>
> 

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

Sorry people - my problem is actually the opposite of what I wrote
below... POP3 gives no encryption options whatsoever, and IMAP defaults
correctly, but still gives the option for no encryption.

Also, the SSL section of dovecot.conf is here: http://pastebin.ca/1582348

Thanks again!

Richard.


Richard Hobbs wrote:
> Hello,
> 
>>> Is it possible to offer encrypted and non-encrypted services
>>> simultaneously, so people have a choice of whether they want
>>> security or not? I know that's a bit weird, but for testing
>>> it would be useful.
>> No problem. Basically you just need to specify the certificate
>> (ssl_cert_file) and the key (ssl_key_file) in the config, and
>> add 'imaps' and 'pop3s' to 'protocols'.
> 
> Thanks for the advice... however, it has only partially worked.
> 
> When i "check what the server supports" in Kmail when setting up a new
> account in my email client, for POP3, it says it supports None, SSL and
> TLS and defaults to TLS, and auth methods are Clear text and Plain.
> 
> Is there a way to get rid of the "None" method for encryption? I do not
> have "pop3" in the protocols line - only "pop3s".
> 
> As for IMAP, the problem is worse... all i get for IMAP is "No
> encryption with clear text passwords". SSL/TLS just doesn't seem to be
> an option for IMAP despite "imaps" being in the protocols line and
> "imap" *not* being there.
> 
> For both these tests, rightly or wrongly, i used the standard ports (110
> for POP3, 143 for IMAP). I know SSL typically operates on higher ports
> numbers, at least for IMAP, but I dont' know how this all works when you
> turn off non-encrypted protocols.
> 
> Any advice gratefully received!
> 
> Thanks again,
> Richard.
> 
> 
> Patrick Nagel wrote:
>> Hi Richard,
>>
>> On 2009-09-03 16:38, Richard Hobbs wrote:
>>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>>> 110.
>>> We would like to enable security on both of these protocols to attempt
>>> to eliminate the risk from an internal
>>> password-grabbing/content-grabbing attack.
>>> I presume this would mean enabling SSL, and a more securure
>>> authentication, right? Or are plain text passwords just sent over the
>>> SSL, and therefore perfectly secure?
>> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
>> secured before the password is sent.
>>
>>> Also, what are the steps to enable security for these protocols on an
>>> already-configured server?
>>> Is it possible to offer encrypted and non-encrypted services
>>> simultaneously, so people have a choice of whether they want security or
>>> not? I know that's a bit weird, but for testing it would be useful.
>> No problem. Basically you just need to specify the certificate 
>> (ssl_cert_file)
>> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
>> 'protocols'.
>>
>>> Finally, is there a way to monitor which users are connecting over the
>>> secure ports and which users are connecting over the non-secure ports?
>> You can see it in the log.
>>
>> Patrick.
>>
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __
> 
> 
> 

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

>> Is it possible to offer encrypted and non-encrypted services
>> simultaneously, so people have a choice of whether they want
>> security or not? I know that's a bit weird, but for testing
>> it would be useful.
>
> No problem. Basically you just need to specify the certificate
> (ssl_cert_file) and the key (ssl_key_file) in the config, and
> add 'imaps' and 'pop3s' to 'protocols'.

Thanks for the advice... however, it has only partially worked.

When i "check what the server supports" in Kmail when setting up a new
account in my email client, for POP3, it says it supports None, SSL and
TLS and defaults to TLS, and auth methods are Clear text and Plain.

Is there a way to get rid of the "None" method for encryption? I do not
have "pop3" in the protocols line - only "pop3s".

As for IMAP, the problem is worse... all i get for IMAP is "No
encryption with clear text passwords". SSL/TLS just doesn't seem to be
an option for IMAP despite "imaps" being in the protocols line and
"imap" *not* being there.

For both these tests, rightly or wrongly, i used the standard ports (110
for POP3, 143 for IMAP). I know SSL typically operates on higher ports
numbers, at least for IMAP, but I dont' know how this all works when you
turn off non-encrypted protocols.

Any advice gratefully received!

Thanks again,
Richard.


Patrick Nagel wrote:
> Hi Richard,
> 
> On 2009-09-03 16:38, Richard Hobbs wrote:
>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>> 110.
> 
>> We would like to enable security on both of these protocols to attempt
>> to eliminate the risk from an internal
>> password-grabbing/content-grabbing attack.
> 
>> I presume this would mean enabling SSL, and a more securure
>> authentication, right? Or are plain text passwords just sent over the
>> SSL, and therefore perfectly secure?
> 
> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
> secured before the password is sent.
> 
>> Also, what are the steps to enable security for these protocols on an
>> already-configured server?
> 
>> Is it possible to offer encrypted and non-encrypted services
>> simultaneously, so people have a choice of whether they want security or
>> not? I know that's a bit weird, but for testing it would be useful.
> 
> No problem. Basically you just need to specify the certificate (ssl_cert_file)
> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
> 'protocols'.
> 
>> Finally, is there a way to monitor which users are connecting over the
>> secure ports and which users are connecting over the non-secure ports?
> 
> You can see it in the log.
> 
> Patrick.
> 

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
__



-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[aja-lists]

Richard Hobbs wrote:

> I'm running Debian Lenny 5.0 btw - does anyone know if these keys were
> simply part of the dovecot package, or whether they have been generated
> during the installation process and are therefore unique?

In Debian Lenny (and Etch) those keys are generated during the
installation of the dovecot-imapd and/or dovecot-pop3d packages.

If you really want to re-do them, you can (re)move them, and then run
apt-get install --reinstall dovecot-imapd dovecot-pop3d .

Re: [Dovecot] Enabling security on POP3 and IMAP

[Josep L. Guallar-Esteve]

Hello Richard,

Maybe the included .pem files are bad (expire, pointing to wrong server name 
or whatnot)

I'd generate new .pem files.

dovecot documentation points to mkcert.sh script. With this script you can 
generate your own certificate, after filling in the OpenSSL config file used 
by mkcert.sh.

On my system, the script is located at 
/usr/libexec/dovecot/mkcert.sh


and the configuration file is at:
/etc/pki/dovecot/dovecot-openssl.cnf

With the key and certificate generated this script, dovecot is happy to work 
with ssl (imaps i my case)

Hope this helps,

Josep


On Thursday 24 September 2009 11:39:59 am Richard Hobbs wrote:
> Hello,
>
> Thanks again for your response...
>
> However, upon closer inspection, it seems that both
> "/etc/ssl/certs/dovecot.pem" and "/etc/ssl/private/dovecot.pem" already
> exist!
>
> I'm running Debian Lenny 5.0 btw - does anyone know if these keys were
> simply part of the dovecot package, or whether they have been generated
> during the installation process and are therefore unique?
>
> If they are unique, then I don't need to generate my own, perhaps?
>
> Thanks again,
> Richard.
>
> Christian Schmidt wrote:
> > Hello Richard,
> >
> > Richard Hobbs, 10.09.2009 (d.m.y):
> >> Thanks for the advice - how do i generate ssl cert files and ssl key
> >> files?
> >
> > Just use OpenSSL.
> > There's a short description of what to do on
> >  - or in any other OpenSSL Howto...
> >
> > Gruss/Regards,
> > Christian Schmidt



-- 
Josep L. Guallar-Esteve - IT Department



This transmission is intended for the use of the entity or individual to which
or whom it is addressed.  The transmission or any documents accompanying the
transmission may contain confidential information.  If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or action taken in reliance on the contents of the transmission or the
documents is strictly prohibited. If you have received this confidential
transmission in error, please destroy it and any accompanying documents and
notify the sender immediately.  Thank you.

Re: [Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

Thanks again for your response...

However, upon closer inspection, it seems that both
"/etc/ssl/certs/dovecot.pem" and "/etc/ssl/private/dovecot.pem" already
exist!

I'm running Debian Lenny 5.0 btw - does anyone know if these keys were
simply part of the dovecot package, or whether they have been generated
during the installation process and are therefore unique?

If they are unique, then I don't need to generate my own, perhaps?

Thanks again,
Richard.


Christian Schmidt wrote:
> Hello Richard,
> 
> Richard Hobbs, 10.09.2009 (d.m.y):
> 
>> Thanks for the advice - how do i generate ssl cert files and ssl key
>> files? 
> 
> Just use OpenSSL.
> There's a short description of what to do on
>  - or in any other OpenSSL Howto...
> 
> Gruss/Regards,
> Christian Schmidt
> 

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[Christian Schmidt]

Hello Richard,

Richard Hobbs, 10.09.2009 (d.m.y):

> Thanks for the advice - how do i generate ssl cert files and ssl key
> files? 

Just use OpenSSL.
There's a short description of what to do on
 - or in any other OpenSSL Howto...

Gruss/Regards,
Christian Schmidt

-- 
Having nothing, nothing can he lose.
-- William Shakespeare, "Henry VI"


signature.asc
Description: Digital signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

Replies inline...

Patrick Nagel wrote:
> Hi Richard,
> 
> On 2009-09-03 16:38, Richard Hobbs wrote:
>> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
>> 110.
> 
>> We would like to enable security on both of these protocols to attempt
>> to eliminate the risk from an internal
>> password-grabbing/content-grabbing attack.
> 
>> I presume this would mean enabling SSL, and a more securure
>> authentication, right? Or are plain text passwords just sent over the
>> SSL, and therefore perfectly secure?
> 
> Yes, plain text passwords are fine with SSL/TLS, since the connection gets
> secured before the password is sent.

OK, I'll do that then, unless it's not commonly what's done for some
reason...

>> Also, what are the steps to enable security for these protocols on an
>> already-configured server?
> 
>> Is it possible to offer encrypted and non-encrypted services
>> simultaneously, so people have a choice of whether they want security or
>> not? I know that's a bit weird, but for testing it would be useful.
> 
> No problem. Basically you just need to specify the certificate (ssl_cert_file)
> and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
> 'protocols'.

Thanks for the advice - how do i generate ssl cert files and ssl key
files? Also, various people access our mail server over IP, or various
different hostnames - can all of those be built into the key/cert files
so they aren't continually warned about hostname mismatches?

>> Finally, is there a way to monitor which users are connecting over the
>> secure ports and which users are connecting over the non-secure ports?
> 
> You can see it in the log.

Excellent.

Thanks again,
Richard.

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Dovecot] Enabling security on POP3 and IMAP

[Patrick Nagel]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Richard,

On 2009-09-03 16:38, Richard Hobbs wrote:
> Currently, on our new test server, I am offering IMAP on 143 and POP3 on
> 110.
> 
> We would like to enable security on both of these protocols to attempt
> to eliminate the risk from an internal
> password-grabbing/content-grabbing attack.
> 
> I presume this would mean enabling SSL, and a more securure
> authentication, right? Or are plain text passwords just sent over the
> SSL, and therefore perfectly secure?

Yes, plain text passwords are fine with SSL/TLS, since the connection gets
secured before the password is sent.

> Also, what are the steps to enable security for these protocols on an
> already-configured server?
> 
> Is it possible to offer encrypted and non-encrypted services
> simultaneously, so people have a choice of whether they want security or
> not? I know that's a bit weird, but for testing it would be useful.

No problem. Basically you just need to specify the certificate (ssl_cert_file)
and the key (ssl_key_file) in the config, and add 'imaps' and 'pop3s' to
'protocols'.

> Finally, is there a way to monitor which users are connecting over the
> secure ports and which users are connecting over the non-secure ports?

You can see it in the log.

Patrick.

- -- 
STAR Software (Shanghai) Co., Ltd.  http://www.star-group.net/
Phone:+86 (21) 3462 7688 x 826   Fax:   +86 (21) 3462 7779

PGP key:  E883A005 https://stshacom1.star-china.net/keys/patrick_nagel.asc
Fingerprint: E09A D65E 855F B334 E5C3 5386 EF23 20FC E883 A005
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkqfhoIACgkQ7yMg/OiDoAWzuQCfSpkZn7AXpsSbh3dVLPtsYQBr
PL0An22lbqUY/MCGca8Q+RXOhojvfcf9
=wKmX
-END PGP SIGNATURE-

[Dovecot] Enabling security on POP3 and IMAP

[Richard Hobbs]

Hello,

Currently, on our new test server, I am offering IMAP on 143 and POP3 on
110.

We would like to enable security on both of these protocols to attempt
to eliminate the risk from an internal
password-grabbing/content-grabbing attack.

I presume this would mean enabling SSL, and a more securure
authentication, right? Or are plain text passwords just sent over the
SSL, and therefore perfectly secure?

Also, what are the steps to enable security for these protocols on an
already-configured server?

Is it possible to offer encrypted and non-encrypted services
simultaneously, so people have a choice of whether they want security or
not? I know that's a bit weird, but for testing it would be useful.

Finally, is there a way to monitor which users are connecting over the
secure ports and which users are connecting over the non-secure ports?

Thanks in advance!

Richard.

-- 
Richard Hobbs (IT Specialist)
Toshiba Research Europe Ltd. - Cambridge Research Laboratory
Email: richard.ho...@crl.toshiba.co.uk
Web: http://www.toshiba-europe.com/research/
Tel: +44 1223 436999Mobile: +44 7811 803377


smime.p7s
Description: S/MIME Cryptographic Signature