Configure POP3 SECURE

exposed

Verified User
Joined
Jul 22, 2003
Messages
53
If you want POP3 Secure (port 995) then you have to download the stunnel package www.stunnel.org

Create an PEM file (described on stunnel.org) and create the below entry's in xinetd.conf or in /etc/xinitd.d/

service pop3s
{
disable = no
socket_type = stream
wait = no
user = root
server = /usr/sbin/stunnel
server_args = -T -p /etc/stunnel/stunnel.pem -l /usr/sbin/vm-pop3d -- vmpop3d -i -u 99
}

after that do a service xinetd restart and your done....port 995 is ready and users can enjoy security.

Cheers!
 
Hello,

DA installs the regular port 110 pop version.. not sure what you're referring to with regards to source code.

John
 
How can I get rid of the untrusted certificate authority warnings in my email client?

Thanks,
Matt :)
 
thoroughfare said:
How can I get rid of the untrusted certificate authority warnings in my email client?

I think you will have to install a certificate issued by one of the ssl providers like geotrust, verisign, etc.

I would be interested how this could be applied to a number of domains - does each domain need a certificate or would a wild card do.

Jon
 
A wildcard cert wouldn't work... because you couldn't buy *.com for example.

I tried using the SSL cert I bought for DirectAdmin and HTTPS - and it didn't work, Stunnel returned a load of errors.

My admin said you'd need you're on CA root, but when he tried it, it didn't work either.

Matt
 
When we tried a bought cert (UTN root, from FreeSSL.com), it came back with errors (can't remember the specific errors), and when he tried a self-signed CA, Stunnel wouldn't accept it either.

Matt
 
Stunnel Config on FreeBSD 4.8

Uhg.. I've got Stunnel installed and I did the config file. I basically followed the instructions shown HERE

It's a no go as of now. Any help would be greatly appreciated.

TIA

Brandt
 
what about for the smtp connection, how would we get that for outgoing mail?
 
I got it working on my FreeBSD 4.10.

I have a GeoTrust QuickSSL for "secure.domain.com," so I put the private key and certificate for "secure.domain.com" in one file /usr/local/etc/stunnel/domain.com.pem:

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
<blank line>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
<blank line>

Make sure only root can read this file:
# chown root /usr/local/etc/stunnel/domain.com.pem
# chmod 600 /usr/local/etc/stunnel/domain.com.pem

Set cert to this file in /usr/local/etc/stunnel/stunnel.conf:
cert = /usr/local/etc/stunnel/domain.com.pem
...
#CApath
#CAfile
#CRLpath
#CRLfile
...
[pop3s]
accept = 995
connect = 110
...
[ssmtp]
accept = 465
connect = 25

(The "..." above means blank lines and other settings.)

Now I can access SSL POP3 through "secure.domain.com" using Eudora or OutlookExpress. In Eudora, set Incoming Mail's Authentication style to Password + Secure Sockets when Receiving to "Required, Alternate Port". First check mail will result in an error. Just go back to the Incoming Mail property and click on 'Last SSL Info' to add the certificate to the computer. In OutlookExpress, make sure you set the SSL connection checkbox for incoming mail.

SSL SMTP is also working. For OutlookExpress, you will need to specify the port (465). Eudora knows the alternate port (set Secure Sockets when Sending to "Required, Alternate Port").

I also disabled normal POP3 using IPFW to force all users to go through SSL POP3 to get their mail. Extra precaution to prevent passwords from being sniffed off the network. I can't disable SMTP in the same way because I'd cut off normal mail flow too.
 
Last edited:
Which part of inetd.conf? It's pretty sparse... everything is turned off except for imap4. (And I don't remember why it is turned on. :) )
 
Well the Linux Stunnel seemed to need xinetd to run, so I presumed the FreeBSD version needed inetd. It seems it's running quite happily as an independent daemon however :)

Imap4 is there for SquirrelMail ;)

Matt
 
Back
Top