SSL for POP3 (and SMTP for that matter)

Discuss the Scalix Server software

Moderators: ScalixSupport, admin

rgmhtt
Posts: 70
Joined: Wed Jan 04, 2006 4:37 pm
Location: Oak Park

SSL for POP3 (and SMTP for that matter)

Postby rgmhtt » Thu Mar 30, 2006 12:47 pm

SSL works just fine for webmail

But not, it seems for POP3 or SMTP (from POP3 client).

I am using Eudora 7 and have configured it to:

If Available STARTTLS and no SSL/TLS is started.

My other Eudora options are:

required, STARTTLS
required, alternative port

These options are both recieving mail (POP3) and sending mail (SMTP).

I don't see a field for alternative port for POP3 but there is a chekc box for use submission port 587

rgmhtt
Posts: 70
Joined: Wed Jan 04, 2006 4:37 pm
Location: Oak Park

Postby rgmhtt » Thu Mar 30, 2006 12:49 pm

Oh, I just tried 'Required, STARTTLS" for retrieving mail and got the error

Server does not support SSL

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Thu Mar 30, 2006 1:01 pm

What search criteria did you use in the knowledgebase ?

If you go to http://www.scalix.com/support/knowledgebase.html and click FAQ tab, the 4th item down shows you how to configure POP3S.

If you click on the Solutions tab and enter the word "secure", the first hit is how to configure secure SMTP.

Cheers

Dave

rgmhtt
Posts: 70
Joined: Wed Jan 04, 2006 4:37 pm
Location: Oak Park

Postby rgmhtt » Thu Mar 30, 2006 4:50 pm

ScalixSupport wrote:What search criteria did you use in the knowledgebase ?


Something as important as secure POP3 and IMAP is not in the Install docs, but in the knowledgebase??????

As a security professional (I design security protocols, rarely configure them myself, why I am here), I am taken aback by this fact.

If you go to http://www.scalix.com/support/knowledgebase.html and click FAQ tab, the 4th item down shows you how to configure POP3S.


No. That gives IMAP and SMTP

If you click on the Solutions tab and enter the word "secure", the first hit is how to configure secure SMTP.


That tells you how to set up secure SMTP on its own IP address, separate from the one used to transfer mail with other SMTP servers.

I would like to find some refernces as to why do this. Concerned anyone could then connect to the server over the SSL port and send out spam? I would hope that the same relay protection exists on both ports.

So POP3 might be:

[POP3]
accept = 995 [had to look that up in well known ports list]
connect = 110

==============

My system does not have an stunnel.conf file, but I see a module in webmin to set this up...

rgmhtt
Posts: 70
Joined: Wed Jan 04, 2006 4:37 pm
Location: Oak Park

Postby rgmhtt » Thu Mar 30, 2006 5:03 pm

rgmhtt wrote:
So POP3 might be:

[POP3]
accept = 995
connect = 110



I created an stunnel.conf file with the lines:

[spop3]
accept = 995
connect = 110

and it is not working. Stopped and started POP3 via SCA and no change.

Obviously doing something wrong.

More searching needed....

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Thu Mar 30, 2006 6:46 pm

You'd be surprised the number of people that don't consider secure POP or SMTP to be a priority.

The SMTP document shows that the you reject non-authenticated connections on the secure IP and, therefore, only known users can send outside of your domain.
For the non-secure IP, the relay rules in smtpd.cfg prevent sending to an external domain if there is no match.

The reason for having multiple IP addresses is that the smtp config doesn't provide for separate MTA and MSA configurations at present, this is fixed in the next major release.

Either way, the same rules apply to both connections.

For your pop3 problem, from the command line, type:

Code: Select all

openssl s_client -connect server.domain.com:995
and see if you get the POP3 banner from the server.

Cheers

Dave

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Thu Mar 30, 2006 7:00 pm

rgmhtt wrote:I created an stunnel.conf file with the lines:

[spop3]
accept = 995
connect = 110


I think you mean pop3s instead of spop3. If you're looking for TLS within POP3, you could also try adding:

Code: Select all

protocol=pop3
to that section as well.

Cheers

Dave

mwarfield

Any plans for native SSL / TLS support?

Postby mwarfield » Sat Apr 22, 2006 5:48 pm

Forcing admins to use stunnel for SSL encrypted POP3 and IMAP sucks. It doesn't help at all with STARTTLS (which starts on the non encrypted port and switches to TLS/SSL3) and it's just one more external kludge to manage to make things work. Same thing applies to LDAP/LDAPS and SMTP/SMTPS. Stunnel doesn't give you the ability to switch to TLS on the fly.

I'm the author of the original SSL code in fetchmail. That TOO use to require silly headstands with stunnel and looped connections to make SSL work. That drove me nuts until I coded SSL into fetchmail and Eric Raymond integrated the patches years ago. It doesn't take a rocket scientist to impliment SSL using OpenSSL. Using stunnel to work around the deficiency is just a half baked kludge at best that cannot fully support the feature set. Take a peak at Dovecot. They got it right (and they even support IPv6, which is another gaping definiency I need).

Is there any plans to integrate SSL/TLS into Scalix properly?

ScalixSupport
Scalix
Scalix
Posts: 5503
Joined: Thu Mar 25, 2004 8:15 pm

Postby ScalixSupport » Sat Apr 22, 2006 10:50 pm

Thanks for your candid feedback.

There are no current plans to implement SSL/TLS into any of our daemons at the moment as it has not been raised as a priority with our customer base. Most users have HTTPS access to SWA or are using VPNs for secure communications and do not offer any other client access. Those customers that do need this feature are comfortable with implementing stunnel.

From our perspective, it's a no-brainer to use stunnel as it just works. It means we don't have to re-invent the wheel while we dedicate resources to features that people are actually asking for. Similarly, we haven't added anti-spam or anti-virus capabilities natively because other people have already done it. We'd be spending more time responding to questions as to why we couldn't be more like Product X.

Cheers

Dave


Return to “Scalix Server”



Who is online

Users browsing this forum: No registered users and 10 guests