Hi All,
I'd like to put stunnel in front of dbmail-imap and dbmail-pop, since they don't offer any encryption. I understand I can just do straight ssl connections, but would like [prefer] to support TLS.
I've found patches to the stunnel 3 series that implement TLS for IMAP, but haven't found any for version 4.
Has someone implemented it for 4?
Is there a technical or political reason/problem, or just not enough round-tuits?
Thanks,
g.
On Saturday 08 of October 2005 03:09, George Hartzell wrote:
I'd like to put stunnel in front of dbmail-imap and dbmail-pop, since they don't offer any encryption. I understand I can just do straight ssl connections, but would like [prefer] to support TLS.
I've found patches to the stunnel 3 series that implement TLS for IMAP, but haven't found any for version 4.
Has someone implemented it for 4?
Is there a technical or political reason/problem, or just not enough round-tuits?
Most email clients use SSL over IMAP on a separate port that stunnel supports. Do you really need protocol negotiation?
Best regards, Mike
George Hartzell hartzell@kestrel.alerce.com writes:
Hi All,
I'd like to put stunnel in front of dbmail-imap and dbmail-pop, since they don't offer any encryption. I understand I can just do straight ssl connections, but would like [prefer] to support TLS.
I've found patches to the stunnel 3 series that implement TLS for IMAP, but haven't found any for version 4.
Has someone implemented it for 4?
Is there a technical or political reason/problem, or just not enough round-tuits?
I wrote the patch for 3, and I still use 3, so I haven't updated it. :)
The patches should be fairly easy to update to version 4, or you could just use version 3. If you forward-port the patches to version 4, let me know and I'll add a link to my Web page.
----Scott.
Scott Gifford writes:
[...] The patches should be fairly easy to update to version 4, or you could just use version 3. If you forward-port the patches to version 4, let me know and I'll add a link to my Web page.
I've decided to see if I could add IMAP STARTTLS support to version 4, based on Scott's patch to 3.22.
I've disentangled what I think are the STARTTLS specific pieces and recast them in the version 4 idiom. I'm playing with pop3 since I can have openssl's s_client negotiate the STARTTLS part for me. I have it working in pass-through mode (just proxying a non-ssl conversation), but can't get the STARTTLS part going.
Using "openssl s_client -connect demo:pop3s" to hit an stunnel process that's expecting an ssl connect (e.g. the default behaviour) works fine.
Telnet-ing to demo, port pop3 (which hits stunnel listening in 'pop3-" mode) then running through a simple "USER, PASS, RETR" session works fine.
If I do "openssl s_client -connect demo:pop3 -starttls pop3" I get: 13845:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:
and if I add -debug, I get:
(demo)[4:15pm]stunnel>>openssl s_client -connect demo:pop3 -starttls pop3 -debug CONNECTED(00000003) read from 08094700 [080A7000] (8192 bytes => 99 (0x63)) 0000 - 2b 4f 4b 20 44 42 4d 41-49 4c 20 70 6f 70 33 20 +OK DBMAIL pop3 0010 - 73 65 72 76 65 72 20 72-65 61 64 79 20 74 6f 20 server ready to 0020 - 72 6f 63 6b 20 3c 31 63-64 35 61 66 37 31 34 37 rock <1cd5af7147 0030 - 65 31 39 31 31 38 37 33-37 64 61 62 62 39 33 65 e19118737dabb93e 0040 - 36 61 38 35 30 61 40 64-65 6d 6f 2e 61 6c 65 72 6a850a@demo.aler 0050 - 63 65 2e 63 6f 6d 3e 20-2b 20 73 74 75 6e 6e 65 ce.com> + stunne 0060 - 6c 0d 0a l.. write to 08094700 [BFBFDC70] (6 bytes => 6 (0x6)) 0000 - 53 54 4c 53 0d 0a STLS.. read from 08094700 [080A5000] (8192 bytes => 36 (0x24)) 0000 - 2b 4f 4b 20 73 74 75 6e-6e 65 6c 20 73 74 61 72 +OK stunnel star 0010 - 74 69 6e 67 20 54 4c 53-20 6e 65 67 6f 74 69 61 ting TLS negotia 0020 - 74 69 6f 6e tion write to 08094700 [080AC000] (142 bytes => 142 (0x8E)) 0000 - 80 8c 01 03 01 00 63 00-00 00 20 00 00 39 00 00 ......c... ..9.. 0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............ 0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 66 00 ..3..2../.....f. 0030 - 00 05 00 00 04 01 00 80-08 00 80 00 00 63 00 00 .............c.. 0040 - 62 00 00 61 00 00 15 00-00 12 00 00 09 06 00 40 b..a...........@ 0050 - 00 00 65 00 00 64 00 00-60 00 00 14 00 00 11 00 ..e..d..`....... 0060 - 00 08 00 00 06 04 00 80-00 00 03 02 00 80 3c fc ..............<. 0070 - 7a 39 c2 3a 4f 59 06 ae-aa ce f8 1c 23 b2 2c 04 z9.:OY......#.,. 0080 - 5b f4 33 a7 56 81 9a f0-88 b4 13 7b 3b 11 [.3.V......{;. read from 08094700 [080B2000] (7 bytes => 2 (0x2)) 0000 - 0d 0a .. read from 08094700 [080B2002] (5 bytes => 5 (0x5)) 0000 - 16 03 01 00 4a ....J 13876:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:
I'd love any suggestions for places to look next!
Thanks,
g.
-
George Hartzell -
Michal Trojnara -
Scott Gifford