imap-ssl hui pop3-ssl pfui

[Diggo]

Hallo Leute, ich habe wie in den Howtos courier-pop-ssl und courier-imap-ssl installiert.

Das interessante. Imap-ssl kann eine ssl verbindung aufbauen. Courier-ssl nicht.

Auf courier-ssl listened auf port 995 und ist lokal auch erreichbar. Lokal läuft der folgende Befehl wunderbar durch. Mache ich das von extern aus bekomme ich folgendes:

Quote:openssl s_client -connect server1.xyhost.de:995
CONNECTED(00000003)
25906:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:567:

Imap und Pop verwenden das selbe Cert, daher sollte es am Zertifikat nicht liegen (afaik).
Hat jemand eine Idee? Ich würde den Kunden gerne Pop3SSL anbieten.

[BeNe]

Ist den der Port auch offen bzw. von einer Firewall gesperrt ?

Greez BeNe

[Diggo]

Hi Bene,

nein der Port ist offen. Mir scheint, er schnallt einfach nicht, dass das dort verschlüsselt laufen soll. Denn:

Stoppe ich den courier-pop-ssl daemon, kann ich an den Port nicht ran.
Starte ich ihn wieder kann ich wieder ran. Ich kann sogar (was nicht sein sollte oder?) über Telnet "POP" sprechen.

Mir scheint irgendwie erwartet Courier-SSL gar kein SSL sondern da lauscht nur der normale Courier ohne einen Tunnel (?).
Die Configs habe ich durchgesehen, die sind nahezu identisch mit denen des IMAP-SSL, welcher wunderbar funktioniert und auch die Verschlüselung aufbaut.

Ich häng mal meine Config an. Der DEBUG Parameter greift auch nicht, hatte das mal wo gelesen, um Courier etwas mehr "verbose" zu stellen. Hat da jemand evtl. auch noch ne Idee, wie ich pop3dssl gesprächiger machen kann? Evtl. kann mir mehr Output in die Logfiles weiterhelfen. Vielleicht ein irgenwo Parameter für den "Courierlogger" mitgeben?

Bisher gibt das Logging nur folgendes aus:

Quote:pop3d-ssl: Connection, ip=[::ffff:xy.xy.xy.xy]
Mar 18 07:53:37 server1 pop3d-ssl: Unexpected SSL connection shutdown.

und das wars dann auch schon.


Achja, ich betreibe noch Etch.

Code:

##VERSION: $Id: pop3d-ssl.dist.in,v 1.13 2005/07/02 01:13:57 mrsam Exp $
#
# pop3d-ssl created from pop3d-ssl.dist by sysconftool
#
# Do not alter lines that begin with ##, they are used when upgrading
# this configuration.
#
#  Copyright 2000-2004 Double Precision, Inc.  See COPYING for
#  distribution information.
#
#  This configuration file sets various options for the Courier-IMAP server
#  when used to handle SSL POP3 connections.
#
#  SSL and non-SSL connections are handled by a dedicated instance of the
#  couriertcpd daemon.  If you are accepting both SSL and non-SSL POP3
#  connections, you will start two instances of couriertcpd, one on the
#  POP3 port 110, and another one on the POP3-SSL port 995.
#
#  Download OpenSSL from http://www.openssl.org/
#
##NAME: SSLPORT:0
#
#  Options in the pop3d-ssl configuration file AUGMENT the options in the
#  pop3d configuration file.  First the pop3d configuration file is read,
#  then the pop3d-ssl configuration file, so we do not have to redefine
#  anything.
#
#  However, some things do have to be redefined.  The port number is
#  specified by SSLPORT, instead of PORT.  The default port is port 995.
#
#  Multiple port numbers can be separated by commas.  When multiple port
#  numbers are used it is possibly to select a specific IP address for a
#  given port as "ip.port".  For example, "127.0.0.1.900,192.68.0.1.900"
#  accepts connections on port 900 on IP addresses 127.0.0.1 and 192.68.0.1
#  The SSLADDRESS setting is a default for ports that do not have
#  a specified IP address.

DEBUG=2

SSLPORT=995

##NAME: SSLADDRESS:0
#
#  Address to listen on, can be set to a single IP address.
#
# SSLADDRESS=127.0.0.1

SSLADDRESS=0

##NAME: SSLPIDFILE:0
#
#
#

SSLPIDFILE=/var/run/courier/pop3d-ssl.pid

##NAME: SSLLOGGEROPTS:0
#
# courierlogger(1) options.
#

SSLLOGGEROPTS="-name=pop3d-ssl"

##NAME: POP3DSSLSTART:0
#
#  Whether or not to start POP3 over SSL on spop3 port:

POP3DSSLSTART=YES

##NAME: POP3_STARTTLS:0
#
# Whether or not to implement the POP3 STLS extension:

POP3_STARTTLS=YES

##NAME: POP3_TLS_REQUIRED:1
#
# Set POP3_TLS_REQUIRED to 1 if you REQUIRE STARTTLS for everyone.
# (this option advertises the LOGINDISABLED POP3 capability, until STARTTLS
# is issued).

POP3_TLS_REQUIRED=0

##NAME: COURIERTLS:0
#
# The following variables configure POP3 over SSL.  If OpenSSL is available
# during configuration, the couriertls helper gets compiled, and upon
# installation a dummy TLS_CERTFILE gets generated.  courieresmtpd will
# automatically advertise the ESMTP STARTTLS extension if both TLS_CERTFILE
# and COURIERTLS exist.
#
# WARNING: Peer certificate verification has NOT yet been tested.  Proceed
# at your own risk.  Only the basic SSL/TLS functionality is known to be
# working. Keep this in mind as you play with the following variables.

COURIERTLS=/usr/bin/couriertls

##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version.  The possible versions are:
#
# SSL2 - SSLv2
# SSL3 - SSLv3
# TLS1 - TLS1

TLS_PROTOCOL=SSL3

##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the POP3 STARTTLS
# extension, as opposed to POP3 over SSL on port 995.
#

TLS_STARTTLS_PROTOCOL=TLS1

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# TLS_CIPHER_LIST="ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH"

##NAME: TLS_TIMEOUT:0
# TLS_TIMEOUT is currently not implemented, and reserved for future use.
# This is supposed to be an inactivity timeout, but its not yet implemented.
#

##NAME: TLS_DHCERTFILE:0
#
# TLS_DHCERTFILE - PEM file that stores our Diffie-Hellman cipher pair.
# When OpenSSL is compiled to use Diffie-Hellman ciphers instead of RSA
# you must generate a DH pair that will be used.  In most situations the
# DH pair is to be treated as confidential, and the file specified by
# TLS_DHCERTFILE must not be world-readable.
#
# TLS_DHCERTFILE=

##NAME: TLS_CERTFILE:0
#
# TLS_CERTFILE - certificate to use.  TLS_CERTFILE is required for SSL/TLS
# servers, and is optional for SSL/TLS clients.  TLS_CERTFILE is usually
# treated as confidential, and must not be world-readable.
#
TLS_CERTFILE=/etc/courier/pop3d.pem

##NAME: TLS_TRUSTCERTS:0
#
# TLS_TRUSTCERTS=pathname - load trusted certificates from pathname.
# pathname can be a file or a directory. If a file, the file should
# contain a list of trusted certificates, in PEM format. If a
# directory, the directory should contain the trusted certificates,
# in PEM format, one per file and hashed using OpenSSL's c_rehash
# script. TLS_TRUSTCERTS is used by SSL/TLS clients (by specifying
# the -domain option) and by SSL/TLS servers (TLS_VERIFYPEER is set
# to PEER or REQUIREPEER).
#
#
# TLS_TRUSTCERTS=

##NAME: TLS_VERIFYPEER:0
#
# TLS_VERIFYPEER - how to verify client certificates.  The possible values of
# this setting are:
#
# NONE - do not verify anything
#
# PEER - verify the client certificate, if one's presented
#
# REQUIREPEER - require a client certificate, fail if one's not presented
#
#
TLS_VERIFYPEER=NONE

##NAME: TLS_CACHE:0
#
# A TLS/SSL session cache may slightly improve response for long-running
# POP3 clients. TLS_CACHEFILE will be automatically created, TLS_CACHESIZE
# bytes long, and used as a cache buffer.
#
# This is an experimental feature and should be disabled if it causes
# problems with SSL clients.  Disable SSL caching by commenting out the
# following settings:

TLS_CACHEFILE=/var/lib/courier/couriersslcache
TLS_CACHESIZE=524288

##NAME: MAILDIRPATH:0
#
# MAILDIRPATH - directory name of the maildir directory.
#
MAILDIRPATH=Maildir