If you want POP3 Secure (port 995) then you have to download the stunnel package www.stunnel.org

Create an PEM file (described on stunnel.org) and create the below entry's in xinetd.conf or in /etc/xinitd.d/

service pop3s
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = -T -p /etc/stunnel/stunnel.pem -l /usr/sbin/vm-pop3d -- vmpop3d -i -u 99
}

after that do a service xinetd restart and your done....port 995 is ready and users can enjoy security.

Cheers!

So can users still use non secure if they want?

Hello,

yes, pop3s uses port 995, so regular pop on port 110 shouldn't be affected.

John

Which one do i get, the SSL source code?

Hello,

DA installs the regular port 110 pop version.. not sure what you're referring to with regards to source code.

John

would the file be inetd.config on FreeBSD?

Hello,

for FreeBSD, they're all stored in one file located at /etc/inetd.conf

John

Moving to How-To area, and also been added to the DirectAdmin Server Checklist (http://directadmin.com/forum/showthread.php?s=&threadid=65&perpage=20&pagenumber=1) :)

oops, sorry

How can I get rid of the untrusted certificate authority warnings in my email client?

Thanks,
Matt :)

Originally posted by thoroughfare
How can I get rid of the untrusted certificate authority warnings in my email client?


I think you will have to install a certificate issued by one of the ssl providers like geotrust, verisign, etc.

I would be interested how this could be applied to a number of domains - does each domain need a certificate or would a wild card do.

Jon

A wildcard cert wouldn't work... because you couldn't buy *.com for example.

I tried using the SSL cert I bought for DirectAdmin and HTTPS - and it didn't work, Stunnel returned a load of errors.

My admin said you'd need you're on CA root, but when he tried it, it didn't work either.

Matt

What problems did your admin have and with which certificate provider?

Jon

When we tried a bought cert (UTN root, from FreeSSL.com), it came back with errors (can't remember the specific errors), and when he tried a self-signed CA, Stunnel wouldn't accept it either.

Matt

Uhg.. I've got Stunnel installed and I did the config file. I basically followed the instructions shown HERE (http://www.forum.psoft.net/showthread.php?t=5190)

It's a no go as of now. Any help would be greatly appreciated.

TIA

Brandt

what about for the smtp connection, how would we get that for outgoing mail?

I got it working on my FreeBSD 4.10.

I have a GeoTrust QuickSSL for "secure.domain.com," so I put the private key and certificate for "secure.domain.com" in one file /usr/local/etc/stunnel/domain.com.pem:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
<blank line>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
<blank line>

Make sure only root can read this file:
# chown root /usr/local/etc/stunnel/domain.com.pem
# chmod 600 /usr/local/etc/stunnel/domain.com.pem

Set cert to this file in /usr/local/etc/stunnel/stunnel.conf:
cert = /usr/local/etc/stunnel/domain.com.pem
...
#CApath
#CAfile
#CRLpath
#CRLfile
...
[pop3s]
accept = 995
connect = 110
...
[ssmtp]
accept = 465
connect = 25

(The "..." above means blank lines and other settings.)

Now I can access SSL POP3 through "secure.domain.com" using Eudora or OutlookExpress. In Eudora, set Incoming Mail's Authentication style to Password + Secure Sockets when Receiving to "Required, Alternate Port". First check mail will result in an error. Just go back to the Incoming Mail property and click on 'Last SSL Info' to add the certificate to the computer. In OutlookExpress, make sure you set the SSL connection checkbox for incoming mail.

SSL SMTP is also working. For OutlookExpress, you will need to specify the port (465). Eudora knows the alternate port (set Secure Sockets when Sending to "Required, Alternate Port").

I also disabled normal POP3 using IPFW to force all users to go through SSL POP3 to get their mail. Extra precaution to prevent passwords from being sniffed off the network. I can't disable SMTP in the same way because I'd cut off normal mail flow too.

Yikes,

Can paste your settings from inetd.conf please?

Much appreciated,
Matt :)

Which part of inetd.conf? It's pretty sparse... everything is turned off except for imap4. (And I don't remember why it is turned on. :) )

Well the Linux Stunnel seemed to need xinetd to run, so I presumed the FreeBSD version needed inetd. It seems it's running quite happily as an independent daemon however :)

Imap4 is there for SquirrelMail ;)

Matt

I wasn't able to get stunnel to work from xinetd but I didn't have any trouble getting it to work as a daemon. Here's my stunnel.conf file:


cert = /usr/local/etc/stunnel/stunnel.pem


; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /usr/local/var/stunnel/
setuid = nobody
;setgid = nogroup
setgid = nobody
; PID is created inside chroot jail
pid = /stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
options = DONT_INSERT_EMPTY_FRAGMENTS

; Some debugging stuff useful for troubleshooting
debug = 3
output = /var/log/stunnel.log

; Service-level configuration

[pop3s]
accept = 995
connect = 110


This was pretty simple to get working. You just need to configure your email client to use SSL when it checks for mail.

Oh, and don't forget to put this in a startup script so that it launches when you reboot the server! I put mine in /etc/rc.local as a quick fix. Maybe somebody has created an init script?

-dougl

You shouldn't need a script.
The port creates one for you: /usr/local/etc/rc.d/stunnel.sh

Just add:
stunnel_enable="YES"
to your rc.conf

(I hope it works for you, on my system the sh script seems to be wrong).