Secure connections



Originally, this document was only meant to show how to offer secure POP3 connections, but as I learned more, I figured I should broaden its goal, and cover the different ways to allow road warriors to connect to corporate sites securely over the Internet. To sum up, the first thing we want to do is offer e-mail: If you just want to secure the logon step, use APOP. If you want to secure the entire mail session, use SSL.

APOP works by sending some sessions-specific information to the client (pop server PID and time of day), and have the POP client generate a hashed value based on this unique information and his login password. This hashed value is sent to the server, which also generates the hashed value and compares it with what the client sent: If the two match, it means that the client knows the logon password, and is granted access. That way, the password itself is not sent in clear text over the Internet, unlike POP3. Unfortunaly, very few mail clients support APOP (Eudora and Outlook Express; Outlook is supposed to support it, but I'm not positive it actually works. Both Outlook Express and Outlook call APOP "Logon using Secure Password/Authentication".) For linux users, another solution is to run fetchmail, which can retrieve mail using APOP, RPOP, KPOP, IMAP-K4, IMAP-GSS, and IMAP-CRAMMD5 in addition to the non-encrypted pop and imap flavors.

On the other hand, if you want to secure the entire session instead of just the logon step, you will have to use SSL. Two possibilities are available: Use a third-party tool like SSH or sTunnel to create an SSL tunnel, and then have both the mail server and client send data over this encrypted channel instead of directly over the Net; The second possibility is to use servers and clients that support SSL natively, ie. with no need to run an additional utility to build a tunnel before mail data is to travel over the wire.
SSL-capable mail servers are qpopper 4, and IMAP-Courier. SSL-capable clients are Outlook Express, Outlook, and Netscape.

Once we have a working SSL tunnel, non-secure applications can be set up to send their data through this secure channel instead of sending data in the clear over the Net.

To secure SMTP, whether it's between the two MTAs or to allow only authenticated servers/clients to user you mailer as relay, configure your MTA to use TSL (Securing Sendmail with TLS.)

Open ports on Windows hosts

Default Port Assignments for Common Services (copied from here)

Service Name



Browsing datagram responses of NetBIOS over TCP/IP 138  
Browsing requests of NetBIOS over TCP/IP 137  
Client/Server Communication   135
Common Internet File System (CIFS) 445 139, 445
Content Replication Service   560
Cybercash Administration   8001
Cybercash Coin Gateway   8002
Cybercash Credit Gateway   8000
DCOM (SCM uses udp/tcp to dynamically assign ports for DCOM) 135 135
DHCP client   67
DHCP server   68
DHCP Manager   135
DNS Administration   139
DNS client to server lookup (varies) 53 53
Exchange Server 5.0    
   Client Server Communication   135
   Exchange Administrator   135
   IMAP   143
   IMAP (SSL)   993
   LDAP   389
   LDAP (SSL)   636
   MTA - X.400 over TCP/IP   102
   POP3   110
   POP3 (SSL)   995
   RPC   135
   SMTP   25
   NNTP   119
   NNTP (SSL)   563
File shares name lookup 137  
File shares session   139
FTP   21
FTP-data   20
HTTP   80
HTTP-Secure Sockets Layer (SSL)   443
Internet Information Services (IIS)   80
IMAP   143
IMAP (SSL)   993
IKE (For more information, see Table C.4) 500  
IPSec Authentication Header (AH) (For more information, see Table C.4)    
IPSec Encapsulation Security Payload (ESP) (For more information, see Table C.4)    
IRC   531
ISPMOD (SBS 2nd tier DNS registration wizard)   1234
Kerberos de-multiplexer   2053
Kerberos klogin   543
Kerberos kpasswd (v5) 464 464
Kerberos krb5 88 88
Kerberos kshell   544
L2TP 1701  
LDAP   389
LDAP (SSL)   636
Login Sequence 137, 138 139
Macintosh, File Services (AFP/IP)   548
Membership DPA   568
Membership MSN   569
Microsoft Chat client to server   6667
Microsoft Chat server to server   6665
Microsoft Message Queue Server 1801 1801
Microsoft Message Queue Server 3527 135, 2101
Microsoft Message Queue Server   2103, 2105
MTA - X.400 over TCP/IP   102
NetBT datagrams 138  
NetBT name lookups 137  
NetBT service sessions   139
NetLogon 138  
NetMeeting Audio Call Control   1731
NetMeeting H.323 call setup   1720
NetMeeting H.323 streaming RTP over UDP Dynamic  
NetMeeting Internet Locator Server ILS   389
NetMeeting RTP audio stream Dynamic  
NetMeeting T.120   1503
NetMeeting User Location Service   522
NetMeeting user location service ULS   522
Network Load Balancing 2504  
NNTP   119
NNTP (SSL)   563
Outlook (see for ports)    
Pass Through Verification 137, 138 139
POP3   110
POP3 (SSL)   995
PPTP control   1723
PPTP data (see Table C.4)    
Printer sharing name lookup 137  
Printer sharing session   139
Radius accounting (Routing and Remote Access) 1646 or 1813  
Radius authentication (Routing and Remote Access) 1645 or 1812  
Remote Install TFTP   69
RPC client fixed port session queries   1500
RPC client using a fixed port session replication   2500
RPC session ports   Dynamic
RPC user manager, service manager, port mapper   135
SCM used by DCOM 135 135
SMTP   25
SNMP 161  
SNMP Trap 162  
SQL Named Pipes encryption over other protocols name lookup 137  
SQL RPC encryption over other protocols name lookup 137  
SQL session   139
SQL session   1433
SQL session   1024 - 5000
SQL session mapper   135
SQL TCP client name lookup 53 53
Telnet   23
Terminal Server   3389
UNIX Printing   515
WINS Manager   135
WINS NetBios over TCP/IP name service 137  
WINS Proxy 137  
WINS Registration   137
WINS Replication   42
X400   102

More infos: ResNet Security Plan



What is it and how does it work?

A VPN connection consists in the following components: Note that CIPE and IPSec require building a custom Linux kernel, while PopTop and TunnelV are stand-alone applications.

Commercial IPSec clients include:

  1. BorderWare IPSec VPN Client
  2. NAI PGPNet
  3. Checkpoint VPN-1 SecuRemote
  4. Checkpoint Raptor MobileNT
  5. F-Secure VPN+ Checkpoint SecureRemote VPN-1 4.1
  6. NTS TunnelBuilder
  7. Mobile NT IRE SafeNet SoftPK
  8. Xedia's AccessPoint
Compatibility tests are available here :


Point-to-Point Tunneling Protocol (PPTP) is one of the ways to build secure channels ("tunnels") between hosts, namely point-to-point. A typical use is to connect a laptop and a company's e-mail server so that road warriors can pick up their e-mail securely by connecting to the Internet through any ISP.

PPTP was developed into the form of an Internet-Draft by a group called the PPTP Forum, and free clients are readily available for the different flavors of Windows. On the Linux side, you'll have to install PPPd and PopTop (the open-source PPTP server.) Note that for testing purposes, it's OK to have the server and the client physically on the same LAN, and just pick up some unused IP addresses to be used for the tunnel. Two channels are required: The control connection (over TCP), and the data channel.


The alternative to PPTP is IPSec (IP Security), whose open-source implementation are available through FreeS/WAN and Kame. This is the second type of VPN: node-to-node (IPSec can also be used in point-to-point connections.) This is the way to connect two different locations with permanent WAN links to the Internet. L2TP actually combines the best of PPTP and Cisco's L2F protocol.

IPSec tunnels do not support failover (if the IPSec VPN goes south, all current connections are lost.) Data confidentiality is achieved through the IPSec Encapsulating Security Payload (ESP). Data integrity is provided by the IPSec Authentication Header (AH) which digitally signs the outbound packet (data and headers). This signature is why IPSec and NAT are mutually incompatible, as changing any information in the header changes the packet's signature (Native IPsec requires that there be no change to the headers.)
A solution this is to use so-called ESP in tunnel mode, where the original packet (including headers) is encapsuled in a new IP packet, whose source address is the outbound address of the sending VPN host, and its destination address is the inbound address of the receiving VPN host. ESP with authentication encrypts and signs the contents of the original packet. The headers of the new packet are not signed, which makes NAT possible. Another issue that IPSec and NAT present, is that some X.509 certificates can be generated based on the host's external IP address.

Finally, negotiation of connection parameters is achieved through IKE (Internet Key Exchange.) Authentication inform can be picked up from a Secure DNS server ("Secure DNS - A version of the DNS or Domain Name Service enhanced with authentication services"). The Linux Router Project includes support for IPSec/FreeSWAN ( Check the introduction available from FreeSWAN's site for infos on compatibility with other IPSec-capable devices.

CIPE - Crypto IP Encapsulation



Things to check when choosing a VPN

Installing PPTP

Setting up the Linux PPTP server

Installing PPPd

  1. rpm -Uvh ppp.rpm
  2. vi /etc/ppp/options

    name myremotesrv
    noauth //No PPP authentication please
    #proxyarp //Otherwise, error message in log

  3. vi /etc/ppp/chap-secrets

    ACME\jdoe * mypasswd *

    Important: Note that the NT domain must be included in the user's login (domain = ACME, here)

Installing PopTop

  1. rpm -Uvh pptpd.rpm
  2. vi /etc/pptpd.conf


    Note: As shown, you can use ranges of IPs instead of specific IPs to hand out to clients.

Setting up the Windows NT4 PPTP client

If you intend to use a WAN link, you do not need to set up a modem.
  1. Double-click on My Computer | Dial-up Networking
  2. Create a new entry: In the Basic tab, Phone number = the IP address of the remote PopTop server; In the Server tab, uncheck Enable Software Compression, click on the TCP/IP Settings and uncheck Use IP Header Compression; In the Security tab, select Accept only encrypted authentication
  3. Connect
  4. Open a DOS box, type ROUTE PRINT, and make sure that all connections to your LAN actually go through the VPN tunnel instead of directly on the LAN

Setting up the Windows 98 PPTP client

Setting up the Windows 2000 PPTP client

Installing FreeS/WAN

Installing the Linux FreeS/WAN server

Note: Judging from my personal tests and articles in the FreeSWAN mailing list, compiling FreeSWAN under Red Hat 7.0 is no bed of roses, even after upgrading gcc. Compiling under RH 6.2, however, was no problem.
  1. Make sure that connectivity works OK between the two hosts that will act as IPSec gateways
  2. FreeSWAN requires GMP (GNU multi-precision arithmetic; must have binary + headers) and Libdes (encryption) libraries, so make sure those are installed (eg. rpm -qa | grep gmp ; ldconfig -v | grep des)
  3. Untar the FreeSWAN tarball in /usr/src
  4. cd /usr/src/freeswan
  5. make menugo
  6. cd /usr/src/linux
  7. make bzImage, and install the new kernel as you usually do
  8. make modules ; make modules_install
  9. Reboot
  10. Check that IPSec is loaded : dmesg | grep klips

Installing the Windows 2000 IPSec client

Installing the Windows 98 IPSec client

Installing the Linux Router Project

This is a firewall-on-a-floppy open-source project. It can also be used as a VPN with the IPSec add-on.

Installing LinVPN 1.2

By Alex Fiori. Available from

Installing TunnelV

TunnelV requires a kernel with support for Ethertap (simple Ethernet device with receives packets from user space) and Netlink. Unlike IPSec, Tunnelv does no patches the kernel. By default, authentication is done in RSA through public/private keys (keys are saved in /etc/tunnelv.conf), and encryption is done in Blowfish. If the two hosts do not recognize each other through the RSA keys, a password listed in the configuration file is sent, encrypted in Blowfish.
  1. Install SSLeay (OpenSSL OK?)
  2. Install glibc2 (libc6)
  3. Compile a new kernel with Ethertap and Netlink
  4. Enable IP forwarding : echo 1 >/proc/sys/net/ipv4/ip_forward
  5. Load one ethertap kernel module for each tunnel you want open at a time
  6. Untar TunnelV, followed by make ; make install. If SSLeay is located in a non-standard location, edit Makefile. To uninstall, run make uninstall
  7. A password is necessary the first time the remote end's RSA public key is authenticated: Edit the [Tunnel Vision] section and add Magic Password = mypassword. Needless to say, the password must be the same on both ends. After the first connection, remove the Magic Password line to forbid remote hosts from using passwords.
  8. On the receiving end, launch TunnelV on a given port, eg. tunnelv 1234
  9. On the sending end, try to connect through tunnelv that-other-guy's-address 1234
  10. Check that a tunnel is available: You should see something like "Starting to exchange packets". Another thing to look at is whether the tap0 ethertap device is up by running ifconfig
  11. Check if a route is available to reach the other site through the tunnel. If no route is available, add one through route add -net my-subnet-number netmask tap0


TunnelV: routes wrong

[Tunnel Vision]
Local Nets =

I can't stop pptpd (killall/kill/kill -9 : nothing works)

Cannot complete PPP negotiation because of "Cannot determine ethernet address for proxy ARP"

What is proxyarp, and how to remove this error?

After successfull CHAP authentication, I get "Registering your computer in the network", followed by a disconnection

Uncheck Enable Software Compression and Use IP Header Compression

What are Security Associations?

Why can't we just use SSH tunneling?

What is link encryption via MPPE?

Microsoft Point-to-Point Encryption. PPTP provides link encryption via MPPE. PPTP can use PPP to encrypt data, but Microsoft has also incorporated a stronger encryption method called Microsoft point-to-point encryption (MPPE) for use with PPTP. L2TP relies on IPSec instead.

What is GRE used for?

Generic Routing Encapsulation. As currently implemented, PPTP encapsulates PPP packets using a modified version of the generic routing encapsulation (GRE) protocol, which gives PPTP the flexibility of handling protocols other than IP, such as Internet packet exchange (IPX) and network basic input/output system extended user interface (NetBEUI).

What are LAC and LNS?

L2TP jargon. L2TP Access Contrator is the ISP access server to which the client connects. L2TP Network Server is the corporate server that the client wants to reach through a tunnel. Once the connection is up, you get a VPDN (Virtual Private Dialup Network.)


Temp stuff

Path: club-internet!grolier!!!!not-for-mail
From: "moth" 
Newsgroups: comp.os.linux.networking,
Subject: Re: Easiest 2 point VPN to create
Date: Tue, 29 May 2001 12:08:34 +1000
Organization: Customer of Pty. Ltd.
Lines: 101
Message-ID: <9ev0d2$k5q$>
References: <4FCQ6.165996$>
Mime-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
X-Trace: 991102178 20666 (29 May 2001 02:09:38 GMT)
NNTP-Posting-Date: 29 May 2001 02:09:38 GMT
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Xref: club-internet comp.os.linux.networking:290667

Many ways to do this, one you can do it with dedicated VPN hardware
(like a cisco router that supports VPN etc) or another way you can do it
strictly via software (im sure there are other ways)

Lets say you cant be bothered forking over the big bucks for the
hardware solution, so we are left with a software solution.  and lets
say you cant be bothered forking over more big bucks for third party
software, which means we are left with an Open source solution.  and the
one i like is OpenSSH

Ingredients you will need.  (if you dont have the exact ingredients
similar ones will suffice)

A Firewall that allows packet masquerading - in my example i am using
RedHat 6.2 with ipchains running the packet filtering
A copy of OpenSSH installed and up and running on the approriate

now here is a scenario of a software VPN i created ages ago.

create the rules in your firewall to enable the ports for your VPN that
you wish to use...for example

        /sbin/ipchains -A input -j REJECT -p TCP -s $ANY -d $LAN
20022 -l
        /sbin/ipchains -A input -j REJECT -p TCP -s $ANY -d $LAN 22 -l
        /sbin/ipchains -A input -j ACCEPT -p TCP -s $SSH1 -d
$SSH_SERVER1 20022
        /usr/sbin/ipmasqadm portfw -a -P tcp -L $ETH2_ADDR 20022 -R

The $LAN = say,  $ANY= $SSH1= host you want to
allow into your network
$SSH_SERVER1=the server in your LAN that you want the external host to
connect to.  ETH2_ADDR=address of the external ethernet card on the

now the first line is a default rejection from any host to connect to
the LAN via port 20022.  the second is the same but for the standard
port 22 that OpenSSH uses.  the third line simply allows the particular
host SSH1 through your firewall on port 20022 to the SSH_SERVER1.  The
last line is the most important, and it takes all packets recieved on
the external interface that are destined for port 20022 and forwards
those packets onto the SSH_SERVER1 host to port 22!!!

So what do we have here?  Well basically we have an external host SSH1
that initiates an ssh session to the external address of the firewall
(i.e. your companies gateway).  so they type in "># ssh" at their unix prompt.  now assuming that
everything is configured nicely with thier firewall, the initialisation
packets for the ssh session hit your gateway on your firewall, where the
masquerading rule in line 4, picks them up and says "ok i have packets
from SSH1 hiting that are comming in for port 20022...everything
matches, so i will forward them onto SSH_SERVER1 to port 22"  so it
forwards the packets and the ssh session is established. (because i like
to allow my users to ssh out anywhere they ssh back out is no
problem on my firewall and router).

So why did i choose port 20022 rather than just port 22?  well two
reasons.  one i might have more than one server on the lan that you
would like to set up VPN's via ssh for, so for each server you give it a
different port...say for another server SSH_SERVER2 you would make users
hit your external interface on port 20023 say...or any port you like (as
long as its above 1024).  and also you might have ssh running with its
default port 22 on the firewall for internal lan access / administration

remember you also have to clear all these ports and rules via the router
thats connecting you to the internet.  so you have to modify the
access-lists assuming your router is perfomring packet security.  So
thats a nice example of a FREE secure VPN...well as secure as it can be
with OpenSSH.


"C"  wrote in message
> Hello:
> I have recently started researching some HOW TO docs on creating VPNs.
> of them refer to a "main" site and then smaller multiple "remote"
> What I need is the ability to have 2 sites send TCP/IP traffic through
> encrypted tunnel over the internet. Both sites should be able to see
> another and have equal permissions with regard to access of
> What is the best way to do this?
> As always, all advice is appreciated!!!
> Thanks,
> Chris



  1. cd /usr/src/qpopper4.0/
  2. ./configure --enable-shy --enable-specialauth --enable-standalone --with-gdbm
  3. make ; make install ; popper -s
  4. mv stunnel.tar.gz /usr/src ; cd /usr/src ; tar xzvf stunnel.tar.gz
  5. cd stunnel ; ./configure ; make ; make install
  6. chmod 600 ./stunnel.pem
  7. ./stunnel -f -d pop3s -r pop3
  8. Copy stunnel.pem on the client Windows host, edit it to remove the private key, and right-click on this stripped-down version followed by Install Certificate. NOTE: OE still prompting me to accept certificate!
  9. Configure your favorite email client to connect to POP3 in SSL mode (ie. port POP3S/995)
/usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes \
        -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
Using configuration from stunnel.cnf
Generating a 1024 bit RSA private key
writing new private key to 'stunnel.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank. 

APOP with qpopper 4

Hi there,

With any luck this will be a no brainer for someone out there..

I have an Alpha running DUnix 4 which works and has been working fine for a number of years with the various versions of Qpopper without a problem. We have been concerned with some security issues and so Qpopper 4 supporting SSL was a great idea for us, nice integration with Eudora 5.1 etc.

The problem is (on the 5.1r client side):
(All works fine when things are set to SSL for POP: none)

Error while checking mail for <>
I said: STLS
And then the POP server said: SSL negotiation failed.

The problem (from the server side):

May 11 15:10:38  -f [24170]: (null) at 
(IP): -ERR POP EOF or I/O Error May 11 15:10:38 -f[24170]: I/O error flushing output to client at
[IP]: Broken pipe (32) Setup was: ./configure --enable-shy --enable-specialauth --with-openssl=/usr/local/ssl/ /etc/services pop3 110/tcp spop3 995/tcp /etc/inetd.conf pop3 stream tcp nowait root /usr/local/lib/popper402 -f /etc/mail/pop/qpopper-stls.config popper402 spop3 stream tcp nowait root /usr/local/lib/popper402 -f /etc/mail/pop/qpopper-alp.config popper402 /etc/mail/pop-% more qpopper-stls.config set tls-support = stls set config-file = /etc/mail/certs/qpopper.config /etc/mail/pop-% more qpopper-alp.config set tls-support = alternate-port set config-file = /etc/mail/pop/qpopper.config /etc/mail/pop-% more qpopper.config set tls-server-cert-file = /etc/mail/pop/cert.pem set clear-text-passwords = never set chunky-writes = tls OpenSSL 0.9.6a was installed (for usage with OpenSSH) it compiled, tested and installed fine. I am at a loss for getting STLS going with Qpopper working and would gladly accept others advice.. Cheers, Mathew. --enable-shy Hide qpopper version number --enable-servermode Enable SERVER_MODE --enable-specialauth Enable secure crypt or shadow passwords --with-pam=service-name Use PAM authentication [pop3] --enable-apop=path Set the pop.auth file path [/etc/pop.auth] --enable-scram=path Include scram capability with AUTHDB file [/etc/pop.auth] --enable-standalone Makes a standalone POP3 daemon instead of using inetd --with-sslplus=path Use SSL Plus from Certicom [/usr/local/sslplus] --with-sslplus-crypto=path Crypto library to use with SSL Plus [securitybuilder] --with-openssl=path Use OpenSSL [/usr/local/ssl] --with-gdbm=path Use GDBM --enable-auth-file=path Only users listed in the specified file have access --enable-poppassd Generate poppassd password-change daemon Note that APOP requires its own user database (eg. /etc/pop.auth), so cannot fetch user names and passwords from /etc/shadow. Compiles Qpopper. If using APOP (see “APOP” on page 48), also compiles popauth. If --enable-poppassd used with ./configure, also compiles poppassd in the pass-word directory. Note that you must run ./configure before make. Copies the Qpopper executable and man pages to a standard location. If using APOP, also copies popauth. If --enable-poppassd specified with ./configure, also copies poppassd. Path: writer!!!!!!!!!!!!not-for-mail From: Dean Thompson Newsgroups: comp.os.linux.networking Subject: Re: qpopper: APOP 4 OE/Outlook? SSL? Date: Sat, 05 May 2001 01:34:23 +1000 Organization: Monash Uni Lines: 95 Distribution: world Message-ID: <> References: <> <> <> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Trace: 988990478 10410 (4 May 2001 15:34:38 GMT) X-Complaints-To: X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en Xref: writer comp.os.linux.networking:228737 Hi!, >>Yes, this tells Outlook that it should try and bind with the port allocate >>to the secure ipop service. > > OK, so what is needed for O/OE to connect in APOP? Eudora had no problem. Well it should just be a matter of telling Outlook to connect using the secure form of mail connection. It will ask for your username and password and then transmit them to a server which is listening on port 995 on the server side. >>You will either need to modify the makefile or check your configure >>options for the specification of additional libraries. It looks like you >>are missing the crypt library. You should be able to easily modify the >>make file and include the directive "-Lcrypt". > > Weird since RH 7.1 installs the following right out of the box: > > # ldconfig -v | grep crypt > ldconfig: Path `/usr/lib' given more than once > -> > -> > -> > > Any idea what additional package it needs? You have all the packages, you just need to tell it to compile the crypt library as well. You will have to break into the makefile and add the library "-lcrypt" to the makefile line. Some systems don't need the crypt library to be compiled in, but Linux is one of those that does. > OTOH, look what I saw in poppassd.c : "Note that unencrypted passwords are > transmitted over the network." Doesn't seem like such a good idea after > all... Fantastic isn't. I use a program called ssleay to do my ssl wrapping. I generate a site certificate and then I put a SSL wrapper around my imap and pop traffic. > >>In your configure command, you may have to specify a path location for the >>--with-drac option. I am not sure how the configure script works, but you >>might like to check to see whether or not the script actually needs a path >>to the DRAC library. > > rpm -Uvh drac-1.11-1.i386.rpm > > That did it :-) > > > > ./popper -f ./qpopper.config > > > >Are you sure that this step actually succeeded?, do you actually see the > >system startup and does this qpopper program actually write a log anywhere > >to indiciate whether or not there were any errors. You might also like to > >do a: "netstat -an | grep 995" and see whether anything is listening on > >the port. > > [root@linuxff /root]# ./popper -f ./qpopper.config > [root@linuxff /root]# tail /var/log/maillog > May 4 15:41:41 linuxff popper[1562]: popper: Server: listening on > > [root@linuxff /root]# netstat -an | grep 995 > unix 2 [ ACC ] STREAM LISTENING 18995 private/cyrus > Okay, this seems to tell me that the qpopper.config file isn't configured to start its SSL side of operations. >>You may actually have to configure the httpd.conf/httpsd.conf files. I >>have had this error before and it was tracked down to having an invalid >>option in my Apache file, which caused all sorts of trouble and strange >>errors such as the one mentioned above. > > This is not an actual web server running, but rather "openssl s_server > -cert ./cert.pem -accept 443 -www" for testing purposes. You don't mean > that I need to set up Apache in addition to openssl to use the above? I am not sure. I have never used the openssl server in that manner before. Surely you need something to bind to port 443 however. I am not sure whether the openssl system does that or not. It looks like it does. All I know is that I have had that error before in Apache where I haven't configured the SSL stuff correctly. See ya Dean Thompson APOP useradd -s /bin/false -c "Used by qpopper" pop touch /etc/pop.auth chown pop.pop /etc/pop.auth chmod 600 /etc/pop.auth ./configure --enable-shy --enable-specialauth --enable-apop --enable-standalone --with-openssl=/usr --with-gdbm cp /usr/src/qpopper/popper/popper /usr/local/sbin cp /usr/src/qpopper/popper/popauth /usr/local/sbin chown pop.pop /usr/local/sbin/popauth chmod 4755 /usr/local/sbin/popauth popauth -init popauth -user ffaure connect with an APOP client popauth -delete ffaure ------------------------------------------------------- --enable-poppassd auth_user.o: In function `auth_user': /home/ffaure/qpopper4.0/password/auth_user.c:403: undefined reference to `crypt' /home/ffaure/qpopper4.0/password/auth_user.c:407: undefined reference to `crypt' collect2: ld returned 1 exit status make[2]: *** [poppassd] Error 1 make[2]: Leaving directory `/home/ffaure/qpopper4.0/password' make[1]: *** [poppassd] Error 2 make[1]: Leaving directory `/home/ffaure/qpopper4.0/popper' make: *** [popper_server] Error 2 (linuxff) --with-drac checking for dracauth in -ldrac... no Can't use DRAC: dracauth not found in -ldrac /tmp/qpopper4.0/samples/qpopper.config Outlook Express with "Logon using SPA" disabled connecting to APOP server (Eudora OK): May 3 16:35:32 linuxff ./popper[18244]: ffaure at ( -ERR [AUTH] You must use stronger authentication such as AUTH SCRAM-MD5 or APOP to connect to this server May 3 16:35:32 linuxff ./popper[18244]: ffaure at ( -ERR POP EOF or I/O Error Outlook Express with "Logon using SPA" enabled connecting to APOP server (Eudora OK): May 3 16:37:05 linuxff ./popper[18246]: (null) at ( -ERR POP EOF or I/O Error Outlook 2K: With Logon using SPA, no error msg, but doesn't pick up mail, and nothing in /var/log/maillog Without Logon using SPA, err: May 3 16:51:23 linuxff ./popper[18318]: ffaure at ( -ERR [AUTH] You must use stronger authentication such as AUTH SCRAM-MD5 or APOP to connect to this server May 3 16:51:23 linuxff ./popper[18318]: ffaure at ( -ERR POP EOF or I/O Error SSL To store the private key and certificates: mkdir -p -m665 /etc/mail/certs chown root:mail /etc/mail/certs chmod 660 /etc/mail/certs Create private/public keys and certificate openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem Ensure that the file which now contains the private key (and will later contain the signed certificate) is protected: chmod 600 /etc/mail/certs/cert.pem chown root:0 /etc/mail/certs/cert.pem Create a dummy CA (requires a password) openssl genrsa -des3 -out /etc/mail/certs/ca.key 1024 openssl req -new -x509 -days 365 -key ca.key -out ca.crt openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem -CAcreateserial Copy this signed certificate to the server's private key: cat signed-req.pem >> /etc/mail/certs/cert.pem Create a configuration file for popper, eg. /etc/mail/pop/qpopper.config (/usr/src/qpopper4.0/samples/qpopper.config): set tls-support = stls set tls-server-cert-file = /etc/mail/certs/cert.pem Run qpopper with -f /etc/mail/certs/pop/qpopper.config [root@linuxff certs]# cat cert.pem -----BEGIN RSA PRIVATE KEY----- [root@linuxff certs]# cat req.pem -----BEGIN CERTIFICATE REQUEST----- [root@linuxff qpopper4.0]# cat /etc/mail/pop/qpopper.config set clear-text-password = tls set tls-support = stls set tls-server-cert-file = /etc/mail/certs/cert.pem [root@linuxff qpopper4.0]# ./popper/popper -f /etc/mail/pop/qpopper.config -> Listening on port 110 but not 995 * poppassd.c * * Note that unencrypted passwords are transmitted over the network. If * this bothers you, think hard about whether you want to implement the * password changing feature. On the other hand, it's no worse than what * happens when you run /bin/passwd while connected via telnet or rlogin. * Well, maybe it is, since the use of a dedicated port makes it slightly * easier for a network snooper to snarf passwords off the wire. qpopper.pdf -p 4 • tls Clear text passwords are permitted when TLS/SSL has been negotiated for the session. • ssl (same as tls). # ./popper/popper -d -l 1 -p 4 # telnet localhost 110 Trying Connected to localhost.localdomain. Escape character is '^]'. Unrecognized -p value; 0 = default; 1 = never; 2 = always (fallback); 3 = local only /etc/mail/certs/cert.pem /root/ssl/server/cert.pem HOWTO /usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out req.pem -keyout cert.pem -> cert.pem = -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC/UJScxA2/xiOybhC3E2KYluiENw8mMcHNKC0os1WEbtdLSC5L rrG+W76O1xYG9FdXYanVUlvyHSlTrYfr21twmsoYlME= -----END RSA PRIVATE KEY----- -> req.pem = -----BEGIN CERTIFICATE----- MIICOTCCAaKgAwIBAgIBADANBgkqhkiG9w0BAQQFADBXMQswCQYDVQQGEwJQTDET KZdRQCEbwNNYsjgedaSy8peP1PseKPvVRsFSDvOg8wH9PwLj419TSpf1eBUo -----END CERTIFICATE----- /usr/local/ssl/bin/openssl req -new -nodes -config stunnel.cnf -out req.pem -keyout cert.pem -> cert.pem -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDd3RMiij3pkr2vh9rcZMD4BO9c7CkWg/SAfSrAuE/x0H6hpfI/ VB7rQ3gR94KVcYtPiKOODHsXbEbWEwg8LUM9f3Po3d6kNQ== -----END RSA PRIVATE KEY----- -> req.pem -----BEGIN CERTIFICATE REQUEST----- MIIBlzCCAQACAQAwVzELMAkGA1UEBhMCUEwxEzARBgNVBAgTClNvbWUtU3RhdGUx 4Ji9h48qmKKHTMLykB069Dm5zRbh5A1E9VIe -----END CERTIFICATE REQUEST----- # No luck with OpenSSL RPM -> compile from source, and install in /usr/local 1. Compile qpopper 4 with support for OpenSSL ./configure --enable-shy --enable-specialauth --enable-apop --enable-standalone --with-openssl --with-gdbm 2. Create public-private key pair (cert.pem) and a certificate signing request (csr, req.pem) openssl req -new -nodes -out req.pem -keyout cert.pem -> stunnel.pem 3. Create a dummy Certification Authority (CA), and create its certificate openssl genrsa -des3 -out ca.key 1024 ... where -des3 means that you want to protect the private key with a PEM passphrase. If you do not want to use a password, ignore this option. openssl req -new -x509 -days 365 -key ca.key -out ca.crt 4. Sign the server's certificate request: openssl x509 -req -CAcreateserial -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem 5. Apppend the certificate to the server's private key cert.pem: cat signed-req.pem >> cert.pem Now, the file that used to contain only the server's private key also contains the certificate 6. Create a configuration file for qpopper (eg. qpopper.config): set tls-support = stls set tls-server-cert-file = /tmp/cert.pem 7. Launch qpopper with this configuration file: ./popper -f ./qpopper.config 8. Connect to popper with an SSL-capable mail client HOWTO End ------------------------------------- => Arrrgggh : No process listening on port 995! mv cert.pem server.pem # openssl s_server -accept 443 -www Using default temp DH parameters ACCEPT (Netscape) 28523:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:958:SSL alert number 42 28523:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:186: ACCEPT 1. Compiling with SSL [root@linuxff qpopper4.0]# ./configure --enable-shy --enable-standalone --with-openssl --with-gdbm [root@linuxff qpopper4.0]# make genpath.o -o popper ../mmangle/libmangle.a \ -I../common ../common/libcommon.a \ -lcrypt -L/usr/local/ssl/lib -lssl -lcrypto ../common/libcommon.a(maillock.o): In function `Qmaillock': /usr/src/qpopper4.0/common/maillock.c:278: the use of `tempnam' is dangerous, better use `mkstemp' /usr/bin/install -c -s -m 0755 -o root popper /usr/local/sbin/popper echo "Installed popper as /usr/local/sbin/popper" Installed popper as /usr/local/sbin/popper if [ "x" != "x" ]; then \ cd ../password && make install /bin/sh: -c: line 2: syntax error: unexpected end of file make: *** [install] Error 2 2. Trying to install [root@linuxff popper]# make install ../common/libcommon.a(maillock.o): In function `Qmaillock': /usr/src/qpopper4.0/common/maillock.c:278: the use of `tempnam' is dangerous, better use `mkstemp' /usr/bin/install -c -s -m 0755 -o root popper /usr/local/sbin/popper echo "Installed popper as /usr/local/sbin/popper" Installed popper as /usr/local/sbin/popper if [ "x" != "x" ]; then \ cd ../password && make install /bin/sh: -c: line 2: syntax error: unexpected end of file make: *** [install] Error 2 3. Qpopper.pdf page 50: No indication on how to create a dummy certifier for testing purposes This is, however, explained in the FAQ ("How do I sign my certificate with a test Certificate Authority (CA)?") 4. -p 4 switch # ./popper/popper -d -l 1 -p 4 # telnet localhost 110 Trying Connected to localhost.localdomain. Escape character is '^]'. Unrecognized -p value; 0 = default; 1 = never; 2 = always (fallback); 3 = local only FF. 1. Compile qpopper 4 with support for OpenSSL make realclean ./configure --enable-shy --enable-specialauth --enable-apop --enable-standalone --with-openssl=/usr --with-gdbm make make install 2. Create public-private key pair (cert.pem) and a certificate signing request (csr, req.pem) openssl req -new -nodes -out req.pem -keyout cert.pem 3. Create a dummy Certification Authority (CA), and create its certificate openssl genrsa -des3 -out ca.key 1024 ... where -des3 means that you want to protect the private key with a PEM passphrase. If you do not want to use a password, ignore this option. openssl req -new -x509 -days 365 -key ca.key -out ca.crt 4. Sign the server's certificate request: openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem Cacreateserial 5. Apppend the certificate to the server's private key cert.pem: cat signed-req.pem >> cert.pem Now, the file that used to contain only the server's private key also contains the certificate 6. Create a configuration file for qpopper (eg. qpopper.config): set tls-support = stls set tls-server-cert-file = /root/ssl/server/cert.pem 7. Launch qpopper with this configuration file: /usr/local/sbin/popper -f /usr/local/sbin/qpopper.config 8. Connect to popper with an SSL-capable mail client Arrrgggh : No process listening on port 995! # openssl s_server -cert ./cert.pem -accept 443 -www Using default temp DH parameters ACCEPT 28523:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:958:SSL alert number 42 28523:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:186: ACCEPT openssl-devel-0.9.6-3 openssl-0.9.6-3 For testing openssl s_server -accept 443 -www Create your very own Certificate Authority openssl req -out ca.pem -new -x509 -> CA certificate = ca.pem, CA key = privkey.pem Certify server certificate openssl req -key server.key -new -out server.req openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial -out server.pem ( = two digit number. eg. "00") Create the server's private and public keys (no password) openssl genrsa -out server.key 1024 Is this a way to create a new pair of public/private keys + certificate in one go? openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem PEM = Private Enhanced Mail?

Eudora 5

Tools | Options | Incoming Mail : Authentication style = APOP

Outlook Express 5

Tools | Accounts | Properties | Servers : Logon using Secure Password/Authentication

Outlook 97

Ctrl Panel | Mail | Internet E-mail | Servers : Logon using Secure Password/Authentication

SSL with qpopper 4


Please check for more infos on how to use SSH to build a secure tunnel to be used by non-secure applications.


When lauching SSL-capable qpopper : "Unable to obtain socket and address of client: Socket operation on non-socket"

You compiled qpopper without -enable-standalone but tried to launch it as a stand-alone server (ie.

Cannot connect in SSL mode

I couldn't get it to work in stand-alone mode. I had to compile popper without the --enable-standalone mode, and add a pop3s section in /etc/xinetd.d/:
	service pop3s
	        socket_type     = stream        
	        protocol        = tcp
	        wait            = no
	        user            = root
	        server          = /usr/sbin/popper
	        server_args     = qpopper -l 1
	        port            = 995
Also remember that OpenSSL must be able to find certificates. When compiling from source code, certificates are expected to be found in /usr/local/ssl/certs. Make sure the qpopper.config if you are using on points to the same location.

Can APOP read /etc/shadow instead of keeping its own DB (eg. /etc/pop.auth)?

From Jem Berkes:
No, it needs to store plaintext passwords. This is necessary for the way in which APOP authentication works... it also keeps user's mail passwords different from their system passwords, which might be a good thing for security.

Where should stunnel.pem be located?

make install copies the stunnel binary to /usr/local/sbin, but leaves the server's certificate wherever stunnel was compiled. Documentation says that, unless told otherwise, stunnel expects to find it in the directory where stunnel was launched. If I mv /usr/src/stunnel/stunnel.pem /usr/local/sbin/, and cd /usr/local/sbin/ ; ./stunnel -f -d pop3s -r localhost:pop3 -> "stunnel.pem: No such file or directory"

sTunnel: How to add the certificate to Outlook?

... otherwise, prompted each time I check my emails with "The server you are connected to is using a security certificate that does not match its Internet address. Do you want to continue using this server?"

sTunnel: Why only one file (stunnel.pem)?

Since I'm still prompted by O/OExpress every time I'm checking email even after importing the certificate into IExpress, I checked that part of sTunnel: At the end of the compiling, it runs /usr/local/ssl/bin/openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem, while other programs usually generate two files (req.pem and cert.pem.)