Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo

   This how to explains how to setup qpopper (pop3) with
  ssl encryption to securely download emails from your pop3.



This howto strictly depends on you having a base knowledge of qpopper
and OpenSSL in general, it does not guide the install of either, only
the setup between the two. But lets be sure you've compiled qpopper
with ssl support? ;)

First create a place to store your openssl keys safely

mkdir -p -m665 /etc/mail/certs
chown root:mail /etc/mail/certs
chmod 660 /etc/mail/certs

Use openssl to create a public-private key pair and a certificate
signing request (csa).
                        
openssl req -new -nodes -out req.pem -keyout /etc/mail/certs/cert.pem

(follow questions it asks after this command is used and fill the
options in completely)

next,

chmod 600 /etc/mail/certs/cert.pem
chown root:0 /etc/mail/certs/cert.pem

if you dont want to send your cert in, to pay for a real CA to sign it
do NOT do this step right now follow 1b. below this 1a.

1a.
send the certificate signing request (file req.pem) to your
Certificate Authority for signing. You will receive back a
signed request. Assuming this signed request is in a file called
signed_req.pem, concatenate it to the private key generated earlier:
cat signed-req.pem >> /etc/mail/certs/cert.pem

1b.
if you want to sign your own and be your own CA from above to
avoid sending it to a Certificate Authority do the following. AFTER
you have done the above up to the cat signed-req, which will be done
the following 3.

openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out
signed-req.pem -CAcreateserial

now you can cat signed-req.pem >> /etc/mail/certs/cert.pem

--

next we configure qpopper.config , you may place this anywhere you like
in your system inside of it there are a few options to adjust inside.
they are as follows.
(set tls-support) can also be "stls".

set tls-support       = alternate-port
set tls-version       = default
set tls-server-cert-file   = /etc/mail/certs/cert.pem

to wrap things up

Use the -f config-file-path command-line option to tell Qpopper to
read the configuration file. a sample inetd line is below:

pop3s  stream tcp   nowait root /usr/local/sbin/popper popper -s
-f /etc/mail/qpopper.config

(of course making sure pop3s is inside of your /etc/services
as --> pop3s      995/tcp

if using inetd, killall -HUP inetd, and you should be all set.

to test if this is truely encrypting email i'd suggest some sort of
sniffing software from your local freshmeat, or freebsd ports..
snort works nicely, with the examples:

snort -vde -i lo0 tcp port 995
snort -vde tcp port 995

You may watch the traffic on your pop3s port to determine its ssl awareness

p.s - as i state in all my articles i "may" leave something out accidently
because i think its trivial i do not mean nor intend to do this so if you
find this is the case in one please email me for a prompt article update
thank you.


Written by: Didjital One (didjital1@ePIMP.com

 

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.