OpenBSD Journal

Write up on: SSL-protected POP3 service for OpenBSD

Contributed by grey on from the good to see other Johan Van Roy fans who are OpenBSD users dept.

Thanks to Patroklos G. Argyroudis for writing in with the following write up (in English and Greek no less) on configuring ssl-wrapped pop3 on OpenBSD:

Some time ago I posted on my personal weblog the details of setting up an SSL-protected POP3 server on OpenBSD. You can also find a Greek translation of the post as a small article on the BSD.gr web page. For those of you that don't know, BSD.gr is an effort to support and promote the use of free 4.4BSD-based systems among Greek users.

(Comments are closed)


Comments
  1. By Anonymous Coward (69.197.92.190) on

    How about this for a writeup:

    pkg_add courier-pop3

    You can even get mysql, postgresql, or openldap support, as well as imaps if you want, just from installing the appropriate package.

    Comments
    1. By Brad (216.138.200.42) brad at comstyle dot com on

      I haven't added FLAVORs for the MySQL, PostgreSQL or OpenLDAP support yet but Dovecot can also support POP3/IMAP4/POP3S/IMAP4S with both MBOX and Maildir.

    2. By chas (12.217.90.112) on rhadmin.org

      Since popa3d is included in the base and we can be more confident of its security, why not use it instead of qpopper?

      What is wrong with using stunnel and popa3d? Why is qpopper preferable?

  2. By mirabile (2001:6f8:94d:1:2c0:9fff:fe1a:6a01) on http://mirbsd.de/

    You can also use the
    | openssl s_server
    | openssl s_client
    commands to wrap around a popa3d (which is part of OpenBSD base,
    and thus deemed way more secure).
    
    Just for the sake of completeness, uw-imapd heavily offers pop3
    or imap via SSL, too.
    

  3. By Alex Hafey (211.31.26.219) alex@hafey.org on http://www.alex.hafey.org

    I looked at a few options as well before I ended up using qpopper despite extra code cruft which needs cleaning out and a less than stellar security history.

    My main reasons were support for STLS which wrapping openssl_* around popa3d won't give you and stability which akpop3d didn't give me on OpenBSD. Qpopper also supports alternate SSL toolkits if you're interested not cryptlib unfortunately.

    Because I didn't trust popper I chrooted it using a statically built binary and libwrapped it.

    /etc/inetd.conf
    203.98.94.7:pop3 stream tcp nowait root /usr/libexec/tcpd      /usr/sbin/popa3d
    203.98.94.7:spop stream tcp nowait root /usr/libexec/tcpd       /usr/local/sbin/popper /var/mail /usr/local/sbin/popper -l2 -p4 -S -R -s -f /etc/mail/pop/qpopper.config
    
    popa3d runs as well for all those people I haven't convinced yet!
    
    qpopper runs on tcp/995 for alternate (SSL encrypted only) services
    
    /usr/local/sbin/popper is a symlink to /usr/sbin/chroot.
    
    chroot jail looks like this:
    
    
    ns1# ls -alR
    total 43416
    drwxrwxr-x   6 root      mail           512 Aug 16 10:02 .
    drwxr-xr-x  26 root      wheel          512 Jun 15 21:07 ..
    -rw-------   1 alex      alex      27320944 Aug 16 08:22 alex
    [other mailbox listings removed to protect the innocent]
    dr-xr-xr-x   2 root      mail           512 Jul 23 19:20 dev
    dr-xr-xr-x   3 root      mail           512 Jun 15 20:59 etc
    dr-x------   3 root      mail           512 Jun 15 15:38 usr
    dr-xr-xr-x   2 root      mail           512 Jun 15 15:57 var
    
    ./dev:
    total 2
    dr-xr-xr-x  2 root  mail       512 Jul 23 19:20 .
    drwxrwxr-x  6 root  mail       512 Aug 16 10:02 ..
    crw-r--r--  1 root  mail   45,   4 Sep  7  2002 arandom
    srw-rw-rw-  1 root  mail         0 Jul 23 19:20 log
    crw-r--r--  1 root  mail    2,   2 Sep  7  2002 null
    crw-r--r--  1 root  mail   45,   2 Sep  7  2002 urandom
    
    ./etc:
    total 58
    dr-xr-xr-x  3 root  mail    512 Jun 15 20:59 .
    drwxrwxr-x  6 root  mail    512 Aug 16 10:02 ..
    -r--------  1 root  mail     12 Jun 15 15:21 hosts.allow
    -r--------  1 root  mail     10 Jun 15 15:13 hosts.deny
    -r--r--r--  1 root  mail    785 Apr 29  2001 localtime
    dr-x------  4 root  mail    512 Jun 15 20:14 mail
    -r--------  1 root  mail   1704 Jun 15 20:49 master.passwd
    -r--------  1 root  mail    727 Jun 15 20:46 passwd
    -r--------  1 root  mail   8973 Jun 15 20:59 services
    -r--------  1 root  mail  40960 Jun 15 20:50 spwd.db
    
    [password file stripped down to just non-wheel user accounts]
    
    ./etc/mail:
    total 4
    dr-x------  4 root  mail  512 Jun 15 20:14 .
    dr-xr-xr-x  3 root  mail  512 Jun 15 20:59 ..
    dr-x------  2 root  mail  512 Jun 15 20:14 certs
    dr-x------  2 root  mail  512 Jun 15 20:14 pop
    
    ./etc/mail/certs:
    total 4
    dr-x------  2 root  mail   512 Jun 15 20:14 .
    dr-x------  4 root  mail   512 Jun 15 20:14 ..
    -rw-------  1 root  mail  1009 Jun 13 12:41 cert.pem
    -rw-------  1 root  mail   891 Jun 13 12:46 key.pem
    
    ./etc/mail/pop:
    total 4
    dr-x------  2 root  mail  512 Jun 15 20:14 .
    dr-x------  4 root  mail  512 Jun 15 20:14 ..
    -r--------  1 root  mail  480 Jun 14 22:53 cfg.bak
    -r--------  1 root  mail  410 Jun 15 16:45 qpopper.config
    
    ./usr:
    total 3
    dr-x------  3 root  mail  512 Jun 15 15:38 .
    drwxrwxr-x  6 root  mail  512 Aug 16 10:02 ..
    dr-x------  3 root  mail  512 Jun 15 15:38 local
    
    ./usr/local:
    total 3
    dr-x------  3 root  mail  512 Jun 15 15:38 .
    dr-x------  3 root  mail  512 Jun 15 15:38 ..
    dr-x------  2 root  mail  512 Jun 15 16:46 sbin
    
    ./usr/local/sbin:
    total 870
    dr-x------  2 root  mail      512 Jun 15 16:46 .
    dr-x------  3 root  mail      512 Jun 15 15:38 ..
    ---x--x--x  1 root  bin     20480 Sep  9  2002 nologin
    ---x------  1 root  wheel  860160 Jun 15 13:20 popper
    
    ./var:
    total 2
    dr-xr-xr-x  2 root  mail  512 Jun 15 15:57 .
    drwxrwxr-x  6 root  mail  512 Aug 16 10:02 ..
    lrwxr-xr-x  1 root  mail    1 Jun 15 15:57 mail -> /
    
    /etc
    ns1# diff security security.orig
    426c426
    < ls -l /var/mail | egrep -v "dev|etc|usr|var|cache" | sed 1d | \
    ---
    > ls -l /var/mail | sed 1d | \
    
    /etc/mtree
    ns1# diff special ../special
    157c157
    < mail          type=dir mode=0755 uname=root gname=wheel ignore
    ---
    > mail          type=dir mode=0775 uname=root gname=mail ignore
    
    /etc/rc.conf:syslogd_flags="-a /var/mail/dev/log"
    
    
    Cheers,
    Alex.

    Comments
    1. By Anonymous Coward (216.138.200.42) on

      What is STLS?

      Comments
      1. Comments
        1. By Brad (216.138.200.42) brad at comstyle dot com on

          Dovecot supports the STARTTLS extension too for IMAP/POP3.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]