Aus crazylinux.de
Zur Navigation springen Zur Suche springen

This how to explains how to setup qpopper (pop3) with ssl encryption to securely download emails from your pop3. (JT:I used 1b)

This howto strictly depends on you having a base knowledge of qpopper and OpenSSL in general, it does not guide the install of either, only the setup between the two. But lets be sure you've compiled qpopper with ssl support? ;)

1 Setup

First create a place to store your openssl keys safely

mkdir -p -m665 /etc/mail/certs
chown root:mail /etc/mail/certs
chmod 660 /etc/mail/certs

Use openssl to create a public-private key pair and a certificate signing request (csa).

openssl req -new -nodes -sha512 -newkey rsa:4096 -out cert.csr -keyout cert.pem

(follow questions it asks after this command is used and fill the options in completely)


chmod 600 /etc/mail/certs/cert.pem
chown root:0 /etc/mail/certs/cert.pem

2 Selfsigned/Real Certificate

if you dont want to send your cert in, to pay for a real CA to sign it do NOT do this step right now follow 1b. below this 1a.

1a. send the certificate signing request (file req.pem) to your Certificate Authority for signing. You will receive back a signed request. Assuming this signed request is in a file called signed_req.pem, concatenate it to the private key generated earlier:

cat signed-req.pem >> /etc/mail/certs/cert.pem

1b. if you want to sign your own and be your own CA from above to avoid sending it to a Certificate Authority do the following. AFTER you have done the above up to the cat signed-req, which will be done the following 3.

openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
openssl x509 -req -CA ca.crt -CAkey ca.key -days 365 -in req.pem -out signed-req.pem -CAcreateserial

now you can

cat signed-req.pem >> /etc/mail/certs/cert.pem

3 Configuration

next we configure /etc/qpopper.conf , you may place this anywhere you like in your system inside of it there are a few options to adjust inside. they are as follows. (set tls-support) can also be "stls".

set clear-text-password      = tls
set tls-support              = alternate-port
set tls-version              = default
set tls-server-cert-file     = /etc/mail/certs/cert.pem
set UW-kluge                 = true
set log-facility             = mail
set shy                      = true
set downcase-user            = true
set server-mode              = true

to wrap things up

4 Inetd

Use the -f config-file-path command-line option to tell Qpopper to read the configuration file. a sample inetd line is below:

pop3s           stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/in.qpopper -f /etc/qpopper.conf

(of course making sure pop3s is inside of your /etc/services as --> pop3s 995/tcp

5 Logging

Bei jeder Verbindung zum Qpopper wird ein Eintrag im syslog gemacht

Dec 29 03:30:46 linuxserver in.qpopper[26465]: connect from (

Das ist nervig und müllt das Log zu. Nach langem Wühlen fand ich jedenfalls die Ursache: inetd bzw. tcpd loggen mit LogFacility daemon.info. Jetzt muß nur noch der syslogd entsprechend konfiguriert (/etc/syslog.conf) werden:

*.*;auth,authpriv.none,mail.!*,daemon.!info     -/var/log/syslog

debug-ausgabe vom syslog:

Successful select, descriptor count = 1, Activity on: 3
Message from UNIX socket: #3
Message length: 75, File descriptor: 3.
logmsg: daemon.info<30>, flags 2, from gretchen, msg Dec 29 03:30:46 in.qpopper[26465]: connect from (
Called fprintlog, logging to FILE /var/log/syslog
Called fprintlog, logging to FILE /var/log/daemon.log
Called fprintlog, logging to FILE /var/log/daemon.log
Called fprintlog, logging to PIPE |/dev/xconsole
Calling select, active file descriptors (max 3): 3

6 Weiteres

if using inetd, killall -HUP inetd, and you should be all set.

taken from http://www.defcon1.org/html/Security/Qpop-SSL/qpop-ssl.html