SSL-wrapped imap, was Re: secure access to IMAP server?
Alan J. Flavell
> It is possible to install an SSL wrapper for IMAP for access via clients
> that understand the SSL wrapped IMAP. It is also easier to do this and
> have your people use Netscape, Internet Exploder, etc. than to get
> SSH port forwarding running on all the systems that might need it.
Thanks. I also received email making the same suggestion, and
this seems a good moment to report back observations to usenet.
I'm now moving the discussion to comp.mail.imap as it seems a more
appropriate place for this sub-thread. BTW I should mention that this
discussion has nothing to do with CERN, it relates to my "home
institute".
I first tried sslwrap on a Digital Unix 4 machine that already had
SSLeay 0.9.0b installed. Installing sslwrap from
http://www.rickk.com/sslwrap/ proved very easy to set up, simply by
following the instructions. I made the certificate file mode 600, and
chown'ed it to sslwrap.
The only bits I stumbled over were related to tcp wrappers:
- the UID "sslwrap" wasn't able to read the hosts.allow|deny files
until I did something about it (for the present I set them
world-readable; perhaps a group membership would be a better plan)
- I had to add an entry for sslwrap into hosts.allow to permit my
client to access the server.
I was easily able to see these problems from the syslog, so it was no
big deal.
After that was done, a connection from (for example) Netscape Messenger
went very smoothly.
I emailed some suggestions to the author about the web page.
One that may be worth repeating is this:
- - -
Also, when req prompts for you "Common Name (eg, YOUR name) []" enter
your host name
ought to be placed earlier, right after the three commands have been
exhibited. I had issued those commands and answered the questions
(wrongly) before realising what I was supposed to do.
- - -
I subsequently installed SSLeay and sslwrap onto a Solaris 2.6 system,
with equal success. In both cases the compiler used was gcc 2.8.1.
These accesses definitely work in principle, from NS Messenger (tried)
and MS Outlook (reported by others). This mode of working evidently
gives protection to the whole network link, both to the authenticator
procedure and to the transfer of actual mail content.
I'm a little concerned about the CPU implications of opening this up to
users in general before we migrate to a new and more powerful mail
server in the Summer, but we'll see how it goes.
There's still confusion about what other client options are viable.
Many users are familiar with and like Eudora Light (most on Win95, a few
on Mac), which they use against the Qualcomm POP3 server, qpopper: we
were thinking some of them would like to move to Eudora Pro, so that
they could use IMAP instead, but in both cases there's still this issue
of protecting against password snooping. I see no mention of Eudora
Pro supporting the SSL wrapping technique.
Maybe it could be used with one or other secure authenticator; in most
cases, there is no real concern about secrecy of data transfers, only
about the risk of passwords being snooped. I haven't found a very clear
presentation anywhere of the secure authenticator options that are
actually available in IMAP servers and clients. Eudora Pro seems to
have some kind of MD5 authenticator - is this an option for UW IMAP
server?
The other clients that are favoured by users are PINE and PC PINE.
PINE can anyway be used against the UW IMAPD with "preauthentication".
Since our servers block r-series commands, we'd be using the variant
ssh-spoofed r-series commands to provide that function. So that
provides us with a secure authenticator. As an alternative, we come
back to running PINE over an ssh tunnel[*]
I don't see any corresponding option for PC PINE, so there, we'd
still be looking at running PC PINE over an ssh tunnel from the PC, if
there were no secure authenticator available[*].
[*]and that brings us back to the original discussion, since we don't
want to open arbitrary shells on the mail server. But I think that side
of the discussion has been explored enough for now. I'll be looking
into the practical issues raised in the various responses.
Thanks all, and could I say this was usenet at its best: high quality,
on-topic, relevant answers. I'm glad I asked.
Ricardo Stella
In the US we can't use SSLeay, correct but must/may/could/are allowed?
to use RSARef...
Does anyone have instructions on how to use SSTunnel or SSLwrap for us
folks in the US ?
I'm also trying to implement SIMAP...
Thanks in advace. Please do not reply directly.
Nico Kadel-Garcia
>
>In the US we can't use SSLeay, correct but must/may/could/are allowed?
>to use RSARef...
There's wackiness there. Hop over to www.openssl.org for more details.
You can *BUY* a copy of SSL enabled software, such as the apache-ssl
distribution of RedHat Linux. But RSA is still patented, and RSA is
being a bit odd about people using the patents. They don't seem to be
pursuing individuals for violations, but they're cooperating with the
weird and blatantly unconstitutional export regulations on
cryptography.
I would never, never tell a US resident to download RSA enabled software
from ftp://ftp.ox.ac.uk/pub/crypto/. Nope, I'd never drop such a hint.
--
Tom Karches
Ricardo Stella wrote:
>
> In the US we can't use SSLeay, correct but must/may/could/are allowed?
> to use RSARef...
edu's can use RSAref at no cost.
>
> Does anyone have instructions on how to use SSTunnel or SSLwrap for us
> folks in the US ?
Try http://www.dtcc.edu/cs/admin/notes/ssl/
Tom
--
Tom Karches
Systems Programmer, Information Technology
North Carolina State University
phone...919.515.5508...email...twk@ncsu.edu