Domingo, 19 de Agosto de 2007
Servidor caseiro - XII
POP3
over SSL, importante isto, as pessoas deviam habituar-se a utilizarem comunicações seguras nos seus e-mails, embora a maioria das vezes os responsáveis sejam os administradores de sistemas que ou não estão sensibilizados para a questão ou são incompetentes.
Há vários modos de implementar POP3/SSL em qmail, as mais das vezes, recorrendo a
patches.
Eu prefiro utilizar o stunnel.
O stunnel é um software que permite cifrar ligações TCP/IP sobre SSL sem ser necessário mexer no código dos
daemons, nest caso o qmail-popup.
Na prática, o que vai acontecer é o estabelecimento de um túnel SSL entre o cliente de correio electrónico e o servidor. Dentro deste túnel SSL, vão passar os comandos normais do POP3 que o stunnel encaminha para o qmail-popup. Assim, a comunicação que passa na rede é segura.
Primeiro, é necessário criar uma chave SSL para o servidor:
# ./openssl req -new -x509 -days 365 -nodes -out imapd.pem -keyout imapd.pem || cleanup# ./openssl gendh >> imapd.pem || cleanout# ./openssl x509 -subject -dates -fingerprint -noout -in imapd.pem || cleanupDe seguida, instalar e configurar o stunnel (na instalação, são-me pedidos os dados para a criação de um certificado, mas é irrelevante, pois vai ser substituído pelo criado acima):
# ./configure --with-ssl=/usr/local/ssl# make# make install# cp /usr/local/ssl/bin/imapd.pem /usr/local/etc/stunnel/stunnel.pem# cd /usr/local/etc/stunnel/# cp stunnel.conf-sample stunnel.confO ficheiro stunnel.conf deve ficar exactamente assim:
; Sample stunnel configuration file by Michal Trojnara 2002-2006; Some options used here may not be adequate for your particular configuration; Please make sure you understand them (especially the effect of chroot jail); Certificate/key is needed in server mode and optional in client modecert = /usr/local/etc/stunnel/stunnel.pem;key = /usr/local/etc/stunnel/mail.pem; Protocol version (all, SSLv2, SSLv3, TLSv1)sslVersion = all; Some security enhancements for UNIX systems - comment them out on Win32#chroot = /usr/local/var/lib/stunnel/#setuid = nobody#setgid = nobody; PID is created inside chroot jailpid = /tmp/stunnel.pid; Some performance tuningssocket = l:TCP_NODELAY=1socket = r:TCP_NODELAY=1;compression = rle; Workaround for Eudora bug;options = DONT_INSERT_EMPTY_FRAGMENTS; Authentication stuff;verify = 2; Don't forget to c_rehash CApath; CApath is located inside chroot jail;CApath = /certs; It's often easier to use CAfile;CAfile = /usr/local/etc/stunnel/certs.pem; Don't forget to c_rehash CRLpath; CRLpath is located inside chroot jail;CRLpath = /crls; Alternatively you can use CRLfile;CRLfile = /usr/local/etc/stunnel/crls.pem; Some debugging stuff useful for troubleshootingdebug = 7output = stunnel.logexec = /var/qmail/bin/qmail-popupexecargs = qmail-popup 0 /usr/local/bin/checkpassword /var/qmail/bin/qmail-pop3d Maildirtransparent = yeslocal = 192.168.0.101; Use it for client modeclient = no; Service-level configuration#[pop3s]#accept = 995#connect = 110#[imaps]#accept = 993#connect = 143#[ssmtp]#accept = 465#connect = 25;[https]#;accept = 443#;connect = 80#;TIMEOUTclose = 0; vim:ft=dosiniÉ necessário criar uma
run file nova para o POP3/SSL:
#!/bin/shenv - PATH="/usr/local/bin" \ setuidgid qmaill multilog t s2500000 /var/log/qmail/qmail-popups \ 2>&1Envio um e-mail primeiro:
# telnet planetgeek.dynip.sapo.pt 25Trying 192.168.0.101...Connected to planetgeek.dynip.sapo.pt (192.168.0.101).Escape character is '^]'.220 planetgeek.dynip.sapo.pt ESMTPEHLO planetgeek.dynip.sapo.pt250-planetgeek.dynip.sapo.pt250-PIPELINING250 8BITMIMEMAIL FROM: root@planetgeek.dynip.sapo.pt250 okRCPT TO: teste@planetgeek.dynip.sapo.pt250 okDATA354 go aheadTeste do POP3/SSL.250 ok 1187479718 qp 8456QUIT221 planetgeek.dynip.sapo.ptConnection closed by foreign host.Agora testo com o openssl (a porta do POP3/SSL é a 995):
# /usr/local/ssl/bin/openssl s_client -connect planetgeek.dynip.sapo.pt:995CONNECTED(00000003)depth=0 /C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.ptverify error:num=18:self signed certificateverify return:1depth=0 /C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.ptverify return:1---Certificate chain 0 s:/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt i:/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt---Server certificate-----BEGIN CERTIFICATE-----MIIDzjCCAzegAwIBAgIJAJa6WcKI1VROMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYDVQQGEwJwdDEPMA0GA1UECBMGQXZlaXJvMQ8wDQYDVQQHEwZJbGhhdm8xDTALBgNVBAoTBEhvbWUxDjAMBgNVBAsTBURldmVsMSEwHwYDVQQDExhwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHQxLjAsBgkqhkiG9w0BCQEWH2dhbWl0b0BwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHQwHhcNMDcwODE4MjMwOTQwWhcNMDgwODE3MjMwOTQwWjCBoTELMAkGA1UEBhMCcHQxDzANBgNVBAgTBkF2ZWlybzEPMA0GA1UEBxMGSWxoYXZvMQ0wCwYDVQQKEwRIb21lMQ4wDAYDVQQLEwVEZXZlbDEhMB8GA1UEAxMYcGxhbmV0Z2Vlay5keW5pcC5zYXBvLnB0MS4wLAYJKoZIhvcNAQkBFh9nYW1pdG9AcGxhbmV0Z2Vlay5keW5pcC5zYXBvLnB0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD1y9dbW0wJZScNQV0fCisBLRakDJWTioXgb5Kzr333ZsF/X8N5ktPEpVQ/3weRbT9RqYMQzHWTHyDBhQDQ5L4yoNeitmAXCfO129wDtw7qLlOm6THaktzHRLuWnS5bLWBBdnSnELyIQ/xCANGTcRvjKmIrA3WkvbAgkeMg0SjCFQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFJVvEdEfiVb36m31qTJIpIPLlwQjMIHWBgNVHSMEgc4wgcuAFJVvEdEfiVb36m31qTJIpIPLlwQjoYGnpIGkMIGhMQswCQYDVQQGEwJwdDEPMA0GA1UECBMGQXZlaXJvMQ8wDQYDVQQHEwZJbGhhdm8xDTALBgNVBAoTBEhvbWUxDjAMBgNVBAsTBURldmVsMSEwHwYDVQQDExhwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHQxLjAsBgkqhkiG9w0BCQEWH2dhbWl0b0BwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHSCCQCWulnCiNVUTjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIiPOkLa6QPkk2VHmIasjobvnczZNrA63ygoiSFbBDBtsq+UZOcaKBG1L9z1B2n1in5RcQ0ueWnKaymBw8XYkANdRLqXy5Y0+/M9htFAiLWQGjbjqnNPrsZ531UBV+Hz+zda2FYZsyddiQEizKK2d4KZwVEG3jpXFZ2GVRPBcGya-----END CERTIFICATE-----subject=/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.ptissuer=/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt---No client certificate CA names sent---SSL handshake has read 1140 bytes and written 340 bytes---New, TLSv1/SSLv3, Cipher is AES256-SHAServer public key is 1024 bitCompression: NONEExpansion: NONESSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 7466A4FF1DCCEB905D40DDD0DE27F5162B82192ADE6A35B4309AB6A920F81EC5 Session-ID-ctx: Master-Key: 2F48EBCFC4134C96571D61598A38AF35B31A6A1C14419484E57F924B16FD8C75B33685A9B3D35957188F2451F823DEF7 Key-Arg : None Start Time: 1187480851 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)---+OK <8539.1187480851@0>user teste+OKpass segredo+OKstat+OK 1 293list+OK1 293.retr 1+OKReturn-Path: <root@planetgeek.dynip.sapo.pt>Delivered-To: teste@planetgeek.dynip.sapo.ptReceived: (qmail 8456 invoked by uid 0); 18 Aug 2007 23:28:22 -0000Received: from unknown (HELO planetgeek.dynip.sapo.pt) (192.168.0.101) by 0 with SMTP; 18 Aug 2007 23:28:22 -0000Teste do POP3/SSL.dele 1+OKquit+OKclosedFunga :)
Until next...
POP3? Então o IMAP???
De
gamito a 19 de Agosto de 2007 às 10:38
É já a seguir...
Volta daqui a pouco que já cá tens :)
Comentar post
Os comentários são da exclusiva resonsabilidade dos seus autores.
Mário Gamito, 2004 - 2007
Todos os direitos reservados.