AW: [suse-security] POP3 with Outlook SSL
Thanks for your help. I am using SSLWRAP now. It's working fine and it's also very easy to configure (read README.SuSE in /usr/doc/packages). Bye Fritz -----Ursprüngliche Nachricht----- Von: Holger Woehle [mailto:Holger.Woehle@ITELLIUM.com] Gesendet am: Montag, 31. Januar 2000 12:37 An: f.spitzer@geosystems.de Betreff: AW: [suse-security] POP3 with Outlook SSL -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hallo Fritz, you can use SSLWRAP. It comes to you with SUSE-Linux since 6.1. It belongs to the sec (security) Packages. After installing it, you have to create a key/certificate pair and modify your /etc/inetd.conf & /etc/services (see below) and kill -HUP inetd ... Pretty simple, isn't it ? btw. Don't be confused about my inetd.conf. I am using qmail & qmail-pop3d. You only have to insert the pop3s line. cu Holgi inetd.conf : pop3 stream tcp nowait root /var/qmail/bin/qmail-popup qmail-popup itmail.itellium.nvag.de /bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir pop3s stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sslwrap -cert /usr/ssl/certs/annina.pem -port 110 services : # # Secure Ports: smtps 465/tcp # smtp protocol over TLS/SSL nntps 563/tcp # nntp protocol over TLS/SSL imaps 993/tcp # imap4 protocol over TLS/SSL pop3s 995/tcp # POP3 protocol over TLS/SSL ftps-data 989/tcp # ftp protocol (data) over TLS/SSL ftps 990/tcp # ftp protocol (control) over TLS/SSL - -----Ursprüngliche Nachricht----- Von: F. Spitzer, GEOSYSTEMS [mailto:f.spitzer@geosystems.de] Gesendet: Montag, 31. Januar 2000 10:19 An: suse-security@suse.com Betreff: [suse-security] POP3 with Outlook SSL Hi, I am wondering if anyone has an idea how to implement a POP3-concention over SSL from Microsoft (Outlook 98, Outlook-Express) on a Linux mailserver -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQA/AwUBOJVlyKwDHGNKekZYEQINgQCgpMCsb7+TMBi7ufPM1USF2Yt/5pQAoKRg nYIghUiA6cEv4f26q/z0lJ8q =OUkg -----END PGP SIGNATURE-----
Anyone having this problem w/ xlock? xlock: caught signal 11 while running swirl mode (uid 500). -Jae ** "I'm very drunk and I intend on getting drunker before it's over." -Clark Gable, Gone with the Wind
Anyone having this problem w/ xlock?
xlock: caught signal 11 while running swirl mode (uid 500).
We also had this this problem, but only on machines running quite old versions of SuSE Linux (5.x, x < 3 or so). Seems to be a bug in one of xlock's modules. This is in fact *not* off topic, because it can be a real security problem when someone locks his/her screen with xlock -mode random and the screen simply unlocks some time later during his/her absence. We solved it by telling the users to use xlock -mode some-mode with some-mode not being "swirl" ;-) Hope this helps, Jan Hildebrandt -- jan.hildebrandt@mathema.de MATHEMA Software GmbH (http://www.mathema.de) Nägelsbachstraße 25a D-91052 Erlangen, Germany Tel: (+49)9131/8903-0 Fax: (+49)9131/8903-55
Thanks for the tips. I did the installation also. But it doesn't seem to work and I don't know why (grmpf ;-) ) - Paket sslwrap installed - Key created as described in /usr/doc/packages/sslwrap/README.SuSE - changed /etc/inetd.conf as described - added secure ports to /etc/services - restarted inetd Forcing my Netscape to use TSL/SSL returns a lapidar message "Mailserver seems not to work bla bla bla" instead of sending mail. Any hints? -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
On Tue, Feb 01, 2000 at 10:08:21PM +0100, Walter Krohe wrote:
Thanks for the tips. I did the installation also.
But it doesn't seem to work and I don't know why (grmpf ;-) )
- Paket sslwrap installed - Key created as described in /usr/doc/packages/sslwrap/README.SuSE - changed /etc/inetd.conf as described - added secure ports to /etc/services - restarted inetd
Forcing my Netscape to use TSL/SSL returns a lapidar message "Mailserver seems not to work bla bla bla" instead of sending mail.
From your later emails I have seen that you apply tcpwrappers. Did you think of allowing access to sslwrap in /etc/hosts.allow? In any case (failed or success) you should find messages in the logfiles, /var/log/messages and maybe /var/log/mail (sorry, don't know where qpop logs its messages on Linux, I only have the setup under HP-UX).
Good luck, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Ups I was wrong. I mixed pop3 and smtp. Sorry ! So what I want is a smtp with ssl connection. How can that be realized on a linuxbox? I Hope I'm not off-topic. Maybe that is not usefull at all, but Netscape has such a option to choose. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
Hi, On Wed, Feb 02, 2000 at 12:19:32AM +0100, Walter Krohe wrote:
Ups I was wrong. I mixed pop3 and smtp. Sorry ! So what I want is a smtp with ssl connection.
Several Mail Transfer Agents (MTAs) do have SSL/TLS capabilities as defined in RFC 2487, for example Postfix (www.postfix.org) with Lutz Jänickes TLS patches (http://www.aet.tu-cottbus.de/personen/jaenicke/pfixtls/) has been known to work for quite some time, both as client and as server. Sendmail has patches available now, too. }:> Till.
How can that be realized on a linuxbox? I Hope I'm not off-topic. Maybe that is not usefull at all, but Netscape has such a option to choose. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- Till Franke SuSE Südwest Tel: 07 11 / 72 72 54-0 Niederlassung der SuSE Rhein/Main AG Fax: 07 11 / 72 60 89 0 Zettachring 8 mailto:Till.Franke@suse.de 70567 Stuttgart
Sendmail has patches available now, too.
http://opensource.3gi.com/sendmail-tls/ This what I found. -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
On Wed, Feb 02, 2000 at 08:49:16PM +0100, Walter Krohe wrote:
Sendmail has patches available now, too.
To my knowledge, there are no patches available to update sendmail itself, but you can find several wrapper solutions. You already found sendmail-tls. Then there are: Safegossip: http://www.skygate.co.uk/safegossip/ Trey Child's STARTTLS wrapper http://sites.netscape.net/tc15163/homepage Stunnel http://mike.daewoo.com.pl/computer/stunnel/ (The sorting does not imply anything, I just got them under my mouse-pointer in this sorting :-) If you want a generic extension you can choose between the MTAs postfix, qmail and zmailer. I personally prefer Postfix/TLS, but I am biased, since I am the author :-) http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls And I can asure you that it does work with SuSE-Linux (while typing these lines at home in front of: Linux lutzpc 2.2.13 #1 Mon Nov 8 15:51:29 CET 1999 i686 unknown :-) Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
Walter Krohe wrote:
Ups I was wrong. I mixed pop3 and smtp. Sorry ! So what I want is a smtp with ssl connection. How can that be realized on a linuxbox? I Hope I'm not off-topic. Maybe that is not usefull at all, but Netscape has such a option to choose.
I've done it with stunnel, unfortunately you can't have both TLS and normal at the same time. /Michael -- This space intentionally left non-blank.
Hi list, I installed also the sslwrap paket on a SuSE 6.3 System. -- cut from /etc/inetd.conf -- pop3s stream tcp nowait cyrus /usr/sbin/tcpd /usr/sbin/sslwrap -cert /usr/ssl/certs/my_cert.pem -port 110 -- cut -- [did the other stuff] -- cut from /etc/messages --- Feb 4 22:23:08 serverlx sslwrap[3408]: connect from 192.168.10.10 Feb 4 22:23:08 serverlx popper[3409]: connect from cyrus@127.0.0.1 -- cut end --- The Netscape Mailclient trys on my 192.168.10.1:995 to pop(3s). and trys, and trys, and ... Seems like the popper ist looking for the mail of user "cyrus", isn't it? I hope this solution is not only for Outlook (as in the concern of this thread) I am wrong? -- Walter Krohe, wk@u2me.de Schwabstrasse 20, D-73760 Ostfildern voice +49 711 3428 926, fax +49 711 3428 928
On Fri, Feb 04, 2000 at 10:39:13PM +0100, Walter Krohe wrote:
Hi list, I installed also the sslwrap paket on a SuSE 6.3 System.
-- cut from /etc/inetd.conf -- pop3s stream tcp nowait cyrus /usr/sbin/tcpd /usr/sbin/sslwrap -cert /usr/ssl/certs/my_cert.pem -port 110 -- cut -- [did the other stuff] -- cut from /etc/messages --- Feb 4 22:23:08 serverlx sslwrap[3408]: connect from 192.168.10.10 Feb 4 22:23:08 serverlx popper[3409]: connect from cyrus@127.0.0.1 -- cut end ---
The Netscape Mailclient trys on my 192.168.10.1:995 to pop(3s). and trys, and trys, and ...
Seems like the popper ist looking for the mail of user "cyrus", isn't it? No, the ident query (man identd) revealed, that the connection to the
Netscape Mailclient cannot do pop3 with ssl (aka pop3s) it can only do imap over ssl. How did you set up netscape? Probably just as pop3 and changed the port to 995? This does not work, since the protocol is wrong. With Netscape use imap(s) instead. pop port is made from localhost (127.0.0.1) and that the user id is of the process opening the connection is "cyrus". This is quite correct, since your pop3s entry in inetd.conf requires exactly this. This data is just informational, it is not used for authentication.
I hope this solution is not only for Outlook (as in the concern of this thread) With Netscape use IMAP instead. It offers all of POP3 and then even more (remote mailboxes, a really great feature if you regularly sit at several different locations :-)
Best regards, Lutz -- Lutz Jaenicke Lutz.Jaenicke@aet.TU-Cottbus.DE BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/ Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129 Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
participants (7)
-
F. Spitzer, GEOSYSTEMS -
Jae -
Jan Hildebrandt -
Lutz Jaenicke -
Michael Salmon -
Till Franke -
Walter Krohe