stunnel/Turnpike/namesco: MITM protection coming?

[J. P. Gilliver (John)]

Eileen has asked me about the following messages that have appeared in
her stunnel window (she's using stunnel 5.62):

2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs
authentication to prevent MITM attacks
2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs
authentication to prevent MITM attacks

She says "It hasn't stopped Stunnel from working, and so I have been
able to connect Turnpike", so I presume that means she's still getting
and sending email; seems odd - all I can think of is that namesco have
implemented the authentication challenge, but are at present proceeding
even if it isn't answered. Another possibility that has just occurred to
me is that namesco/stunnel are quite happy with each other, but they've
turned on the challenge and so the messages appear in the stunnel log
window (but the "authentication accepted" message isn't showing: is
there a "verbose" option setting in stunnel? So far I haven't had to use
it, as PlusNet don't need it yet).

Anyway, any namesco users here who have noticed these, and know what
changes, if any, Eileen has to make to stunnel.ini or whatever its
called? (Do they involve obtaining a separate identity and/or password
from namesco [maybe one for each server?], in the same way I gather some
people have been experiencing with gmail's introduction of two-factor
authentication?)

As I've explained to Eileen, the MITM risk is nothing new, and I presume
she's never suffered such attacks over many years; all that is new is
namesco implementing protection against it, or planning to.

I wish providers would give users the option to say "I'll continue to
take the risk I've been taking for years"! I suppose they're covering
_them_selves.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

It costs more to send someone to prison than it does to send a child to Eton.
- Dan Snow (RT 2014/11/1-7)

[Andy]

In message <matJhJeZ1aQiFw2l@a.a>, "J. P. Gilliver (John)"
<G6...@255soft.uk> wrote

>Eileen has asked me about the following messages that have appeared in
>her stunnel window (she's using stunnel 5.62):
>
>2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs
>authentication to prevent MITM attacks
>2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs
>authentication to prevent MITM attacks
>

[]
Odd! I've just looked at my stunnel log, and near the top is

2022.03.28 08:08:42 LOG4[main]: Service [1and1-smtp] needs

authentication to prevent MITM attacks

2022.03.28 08:08:42 LOG4[main]: Service [1and1-pop3] needs

authentication to prevent MITM attacks

I have no idea how long this has been appearing.

Everything seems to be working normally. I run stunnel 5.22 under
Virtual Windows XP under Windows 7 pro. I haven't faffed with stunnel
upgrades coz it ain;t broke.

As far as I'm aware I have nothing to do with namesco.
--
Andy Taylor FRPSL
President, Treasurer & Editor of the Austrian Philatelic Society.

[John Hall]

In message <UzSkhbFP...@kitzbuhel.co.uk>, Andy
<an...@kitzbuhel.co.uk> writes

Just wondering if this could be a warning message produced by Stunnel
itself rather than by the email server being used. Looking in my own
stunnel.conf file, I found it contained the comment lines:

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
;CAfile = ca_certs.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

No idea what that all means, as it's a legacy from hacking a template
stunnel.conf file provided by stunnel.com.

In the section for each server I use I have lines such as:

verifyChain = yes
CAfile = ca-certs.pem
checkHost = pop.gmail.com
OCSPaia = yes

That may be why I don't see those messages about MITM in my own log
file. So you could try inserting these lines in both your Stunnel SMTP
and POP3 sections, substituting the relevant server name for
pop.gmail.com.
--
John Hall
"Home is heaven and orgies are vile,
But you *need* an orgy, once in a while."
Ogden Nash (1902-1971)

[John Hall]

In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes

>>In message <matJhJeZ1aQiFw2l@a.a>, "J. P. Gilliver (John)"
>><G6...@255soft.uk> wrote
>>>Eileen has asked me about the following messages that have appeared
>>>in her stunnel window (she's using stunnel 5.62):
>>>
>>>2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs
>>>authentication to prevent MITM attacks
>>>2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs
>>>authentication to prevent MITM attacks

<snip>

>
>Just wondering if this could be a warning message produced by Stunnel
>itself rather than by the email server being used.

<snip>

>
>In the section for each server I use I have lines such as:
>
>verifyChain = yes
>CAfile = ca-certs.pem
>checkHost = pop.gmail.com
>OCSPaia = yes
>
>That may be why I don't see those messages about MITM in my own log
>file. So you could try inserting these lines in both your Stunnel SMTP
>and POP3 sections, substituting the relevant server name for
>pop.gmail.com.

It seems not to be a case of the email server authenticating you but
rather of you authenticating the email server.

For further info, see:

https://en.wikipedia.org/wiki/Man-in-the-middle_attack

[Eileen Conn]

Thanks John for posting the question.
Hi all - I got through to Namesco and this is their response: As we know - they have nothing to do with Outlook 365 - they just kindly took on former Demon customers when we were left high and dry by Vodafone. But they said they thought the message might be to do with Microsoft updating the security behind Outlook 365. They said that Namesco are doing nothing that would have provoked the MITM message.
Eileen

[Adrian]

In message <matJhJeZ1aQiFw2l@a.a>, "J. P. Gilliver (John)"

<G6...@255soft.uk> writes

>Eileen has asked me about the following messages that have appeared in
>her stunnel window (she's using stunnel 5.62):
>
>2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs
>authentication to prevent MITM attacks
>2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs
>authentication to prevent MITM attacks
>

That prompted me to have a look at my stunnel log.

18:17:19 LOG4[main]: Service [pop3s] needs authentication to prevent
MITM attacks
2022.03.28 18:17:19 LOG4[main]: Service [ssmtp] needs authentication to
prevent MITM attacks

Appeared when I started Turnpike up (but not from subsequent
connections). I'm using Stunnel 5.49 on Win10/32. I'm not using
namesco.

Adrian
--
To Reply :
replace "bulleid" with "adrian" - all mail to bulleid is rejected
Sorry for the rigmarole, If I want spam, I'll go to the shops
Every time someone says "I don't believe in trolls", another one dies.

[J. P. Gilliver (John)]

On Mon, 28 Mar 2022 at 10:39:39, Eileen Conn <peckham...@gmail.com> wrote (my responses usually FOLLOW): >On Monday, March 28, 2022 at 4:46:36 PM UTC+1, John Hall wrote: >> In message <UzSkhbFP...@kitzbuhel.co.uk>, Andy >> <an...@kitzbuhel.co.uk> writes >> >In message <matJhJeZ1aQiFw2l@a.a>, "J. P. Gilliver (John)" >> ><G6...@255soft.uk> wrote >> >>Eileen has asked me about the following messages that have appeared in >> >>her stunnel window (she's using stunnel 5.62): >> >> >> >>2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs >> >>authentication to prevent MITM attacks >> >>2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs >> >>authentication to prevent MITM attacks >Thanks John for posting the question. >Hi all - I got through to Namesco and this is their response: As we >know - they have nothing to do with Outlook 365 - they just kindly took >on former Demon customers when we were left high and dry by Vodafone. >But they said they thought the message might be to do with Microsoft >updating the security behind Outlook 365. They said that Namesco are >doing nothing that would have provoked the MITM message. >Eileen Well, it seems we have at least two other people - Andy on 1and1, and Adrian on someone else (but not namesco) - who are getting these messages, though don't know how long they have been getting them. One person thought they might be that (to reduce the likelihood of MITM attacks) you have to challenge the server for authentication, rather than it challenging you. For both of these, if things carry on working, we don't need to do anything - which I realise isn't reassuring. Anyone know if Microsoft _are_ changing security in Outlook 365? Probably best to ask in another newsgroup - alt.windows7.general maybe - but I don't think Google Groups carry that, so you (Eileen) would have to set up Turnpike as a news client (which would be a lot easier than using GG anyway - especially as you're using it for mail already!). We can help you set it up with one of the free news servers, such as Eternal September. J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf You've made a happy man very old. - Stephen Fry, on QI, 2014-10-18

[brian]

In message <vP8b09vfhjQiFwm9@a.a>, "J. P. Gilliver (John)"
<G6...@255soft.uk> writes

>On Mon, 28 Mar 2022 at 10:39:39, Eileen Conn <peckham...@gmail.com>
>wrote (my responses usually FOLLOW):
>>On Monday, March 28, 2022 at 4:46:36 PM UTC+1, John Hall wrote:
>>> In message <UzSkhbFP...@kitzbuhel.co.uk>, Andy
>>> <an...@kitzbuhel.co.uk> writes
>>> >In message <matJhJeZ1aQiFw2l@a.a>, "J. P. Gilliver (John)"
>>> ><G6...@255soft.uk> wrote
>>> >>Eileen has asked me about the following messages that have appeared in
>>> >>her stunnel window (she's using stunnel 5.62):
>>> >>
>>> >>2022 03 20 10:13:01 LOG4[main]: Service [namesco POP3] needs
>>> >>authentication to prevent MITM attacks
>>> >>2022 03 20 10:13:01 LOG4[main]: Service [namesco SSMTP] needs
>>> >>authentication to prevent MITM attacks
>[]
>>Thanks John for posting the question.
>>Hi all - I got through to Namesco and this is their response: As we
>>know - they have nothing to do with Outlook 365 - they just kindly
>>took on former Demon customers when we were left high and dry by
>>Vodafone. But they said they thought the message might be to do with
>>Microsoft updating the security behind Outlook 365. They said that
>>Namesco are doing nothing that would have provoked the MITM message.
>>Eileen
>
>Well, it seems we have at least two other people - Andy on 1and1, and
>Adrian on someone else (but not namesco) - who are getting these
>messages, though don't know how long they have been getting them.

Yes I get it too on startup. I never read the stunnel logs. Note that my
POP3 isn't namesco.


2022.03.29 09:02:45 LOG5[main]: Reading configuration from file
C:\Program Files\stunnel\config\stunnel.conf
2022.03.29 09:02:45 LOG5[main]: UTF-8 byte order mark detected
2022.03.29 09:02:45 LOG5[main]: FIPS mode disabled
2022.03.29 09:02:45 LOG4[main]: Service [b-howie POP3] needs

authentication to prevent MITM attacks

2022.03.29 09:02:45 LOG4[main]: Service [namesco SMTP] needs

authentication to prevent MITM attacks

2022.03.29 09:02:45 LOG5[main]: Configuration successful


Brian
--
Brian Howie

[John Hall]

In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes

<snip>

>In the section for each server I use I have lines such as:
>
>verifyChain = yes
>CAfile = ca-certs.pem
>checkHost = pop.gmail.com
>OCSPaia = yes
>
>That may be why I don't see those messages about MITM in my own log
>file.

I've now tried commenting those lines out, but I still don't see any
warning messages about MITM in my log file. So either my theory that
Stunnel was inserting the MITM warnings itself is wrong, or else I
didn't have logging set to a high enough level to see them. The theory
that it was Stunnel itself that was responsible appeared to be supported
by the fact that the text of the warning messages seemed to incorporate
the label that people had put in their config file for the section in
question, which I wouldn't expect the email server even to be aware of.

If someone seeing the warning messages tries adding the four lines above
to each relevant section in their stunnel.conf file, substituting the
relevant email server name for pop.gmail.com of course, I'd be
interested in knowing if that makes the warning messages go away.

[John Hall]

In message <ZhIDJ8AmkyQiFwTw@jhall_nospamxx.co.uk>, John Hall

<john_...@jhall.co.uk> writes
>In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
><john_...@jhall.co.uk> writes
><snip>
>>In the section for each server I use I have lines such as:
>>
>>verifyChain = yes
>>CAfile = ca-certs.pem
>>checkHost = pop.gmail.com
>>OCSPaia = yes

Oh and also:

client=yes

>>
>>That may be why I don't see those messages about MITM in my own log
>>file.
>
>I've now tried commenting those lines out, but I still don't see any
>warning messages about MITM in my log file. So either my theory that
>Stunnel was inserting the MITM warnings itself is wrong, or else I
>didn't have logging set to a high enough level to see them. The theory
>that it was Stunnel itself that was responsible appeared to be
>supported by the fact that the text of the warning messages seemed to
>incorporate the label that people had put in their config file for the
>section in question, which I wouldn't expect the email server even to
>be aware of.
>
>If someone seeing the warning messages tries adding the four lines
>above to each relevant section in their stunnel.conf file, substituting
>the relevant email server name for pop.gmail.com of course, I'd be
>interested in knowing if that makes the warning messages go away.

See

https://www.stunnel.org/auth.html

for more info. It's the "Certificates: Client Configuration" section
that seems to be the relevant one.

[Adrian]

In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
<john_...@jhall.co.uk> writes

>No idea what that all means, as it's a legacy from hacking a template
>stunnel.conf file provided by stunnel.com.
>
>In the section for each server I use I have lines such as:
>
>verifyChain = yes
>CAfile = ca-certs.pem
>checkHost = pop.gmail.com
>OCSPaia = yes
>

I've just tweaked my config to add those (with appropriate changes to
checkHost), and the error message disappears. I now get messages
relating to the certificate. These appear to be confirmations, rather
than errors or warnings.

Thanks for the tip.

[Andy]

In message <ZhIDJ8AmkyQiFwTw@jhall_nospamxx.co.uk>, John Hall

<john_...@jhall.co.uk> wrote

>In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
><john_...@jhall.co.uk> writes
><snip>
>>In the section for each server I use I have lines such as:
>>
>>verifyChain = yes
>>CAfile = ca-certs.pem
>>checkHost = pop.gmail.com
>>OCSPaia = yes
>>
>>That may be why I don't see those messages about MITM in my own log
>>file.
>

My stunnel config has these lines (amongst others) - they are all
commented out!

; Authentication stuff needs to be configured to prevent MITM attacks
; It is not enabled by default!
;verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile

;CAfile = certs.pem

; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively CRLfile can be used
;CRLfile = crls.pem

[John Hall]

In message <ccXHdgCF...@ku.gro.lloiff>, Adrian
<bul...@ku.gro.lioff> writes

>In message <b+O7ycBqfdQiFwCw@jhall_nospamxx.co.uk>, John Hall
><john_...@jhall.co.uk> writes
>>No idea what that all means, as it's a legacy from hacking a template
>>stunnel.conf file provided by stunnel.com.
>>
>>In the section for each server I use I have lines such as:
>>
>>verifyChain = yes
>>CAfile = ca-certs.pem
>>checkHost = pop.gmail.com
>>OCSPaia = yes
>>
>
>I've just tweaked my config to add those (with appropriate changes to
>checkHost), and the error message disappears. I now get messages
>relating to the certificate. These appear to be confirmations, rather
>than errors or warnings.
>
>Thanks for the tip.
>
>Adrian

Excellent. :)