Comentar - The Remains Of The Day

« post anterior | home | post seguinte »

Domingo, 19 de Agosto de 2007

Servidor caseiro - XII

POP3 over SSL, importante isto, as pessoas deviam habituar-se a utilizarem comunicações seguras nos seus e-mails, embora a maioria das vezes os responsáveis sejam os administradores de sistemas que ou não estão sensibilizados para a questão ou são incompetentes.

Há vários modos de implementar POP3/SSL em qmail, as mais das vezes, recorrendo a patches.
Eu prefiro utilizar o stunnel.
O stunnel é um software que permite cifrar ligações TCP/IP sobre SSL sem ser necessário mexer no código dos daemons, nest caso o qmail-popup.
Na prática, o que vai acontecer é o estabelecimento de um túnel SSL entre o cliente de correio electrónico e o servidor. Dentro deste túnel SSL, vão passar os comandos normais do POP3 que o stunnel encaminha para o qmail-popup. Assim, a comunicação que passa na rede é segura.
Primeiro, é necessário criar uma chave SSL para o servidor:

# ./openssl req -new -x509 -days 365 -nodes -out imapd.pem -keyout imapd.pem || cleanup
# ./openssl gendh >> imapd.pem || cleanout
# ./openssl x509 -subject -dates -fingerprint -noout -in imapd.pem || cleanup

De seguida, instalar e configurar o stunnel (na instalação, são-me pedidos os dados para a criação de um certificado, mas é irrelevante, pois vai ser substituído pelo criado acima):

# ./configure --with-ssl=/usr/local/ssl
# make
# make install

# cp /usr/local/ssl/bin/imapd.pem /usr/local/etc/stunnel/stunnel.pem
# cd /usr/local/etc/stunnel/
# cp stunnel.conf-sample stunnel.conf

O ficheiro stunnel.conf deve ficar exactamente assim:

; Sample stunnel configuration file by Michal Trojnara 2002-2006
; Some options used here may not be adequate for your particular configuration
; Please make sure you understand them (especially the effect of chroot jail)

; Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
;key = /usr/local/etc/stunnel/mail.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

; Some security enhancements for UNIX systems - comment them out on Win32
#chroot = /usr/local/var/lib/stunnel/
#setuid = nobody
#setgid = nobody
; PID is created inside chroot jail
pid = /tmp/stunnel.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
;verify = 2
; Don't forget to c_rehash CApath
; CApath is located inside chroot jail
;CApath = /certs
; It's often easier to use CAfile
;CAfile = /usr/local/etc/stunnel/certs.pem
; Don't forget to c_rehash CRLpath
; CRLpath is located inside chroot jail
;CRLpath = /crls
; Alternatively you can use CRLfile
;CRLfile = /usr/local/etc/stunnel/crls.pem

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

exec = /var/qmail/bin/qmail-popup
execargs = qmail-popup 0 /usr/local/bin/checkpassword /var/qmail/bin/qmail-pop3d Maildir

transparent = yes
local = 192.168.0.101

; Use it for client mode
client = no

; Service-level configuration

#[pop3s]
#accept = 995
#connect = 110

#[imaps]
#accept = 993
#connect = 143

#[ssmtp]
#accept = 465
#connect = 25

;[https]
#;accept = 443
#;connect = 80
#;TIMEOUTclose = 0

; vim:ft=dosini

É necessário criar uma run file nova para o POP3/SSL:

#!/bin/sh
env - PATH="/usr/local/bin" \
setuidgid qmaill multilog t s2500000 /var/log/qmail/qmail-popups \
2>&1

Envio um e-mail primeiro:

# telnet planetgeek.dynip.sapo.pt 25
Trying 192.168.0.101...
Connected to planetgeek.dynip.sapo.pt (192.168.0.101).
Escape character is '^]'.
220 planetgeek.dynip.sapo.pt ESMTP
EHLO planetgeek.dynip.sapo.pt
250-planetgeek.dynip.sapo.pt
250-PIPELINING
250 8BITMIME
MAIL FROM: root@planetgeek.dynip.sapo.pt
250 ok
RCPT TO: teste@planetgeek.dynip.sapo.pt
250 ok
DATA
354 go ahead
Teste do POP3/SSL
.
250 ok 1187479718 qp 8456
QUIT
221 planetgeek.dynip.sapo.pt
Connection closed by foreign host.

Agora testo com o openssl (a porta do POP3/SSL é a 995):

# /usr/local/ssl/bin/openssl s_client -connect planetgeek.dynip.sapo.pt:995
CONNECTED(00000003)
depth=0 /C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
verify return:1
---
Certificate chain
0 s:/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
   i:/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDzjCCAzegAwIBAgIJAJa6WcKI1VROMA0GCSqGSIb3DQEBBQUAMIGhMQswCQYD
VQQGEwJwdDEPMA0GA1UECBMGQXZlaXJvMQ8wDQYDVQQHEwZJbGhhdm8xDTALBgNV
BAoTBEhvbWUxDjAMBgNVBAsTBURldmVsMSEwHwYDVQQDExhwbGFuZXRnZWVrLmR5
bmlwLnNhcG8ucHQxLjAsBgkqhkiG9w0BCQEWH2dhbWl0b0BwbGFuZXRnZWVrLmR5
bmlwLnNhcG8ucHQwHhcNMDcwODE4MjMwOTQwWhcNMDgwODE3MjMwOTQwWjCBoTEL
MAkGA1UEBhMCcHQxDzANBgNVBAgTBkF2ZWlybzEPMA0GA1UEBxMGSWxoYXZvMQ0w
CwYDVQQKEwRIb21lMQ4wDAYDVQQLEwVEZXZlbDEhMB8GA1UEAxMYcGxhbmV0Z2Vl
ay5keW5pcC5zYXBvLnB0MS4wLAYJKoZIhvcNAQkBFh9nYW1pdG9AcGxhbmV0Z2Vl
ay5keW5pcC5zYXBvLnB0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD1y9db
W0wJZScNQV0fCisBLRakDJWTioXgb5Kzr333ZsF/X8N5ktPEpVQ/3weRbT9RqYMQ
zHWTHyDBhQDQ5L4yoNeitmAXCfO129wDtw7qLlOm6THaktzHRLuWnS5bLWBBdnSn
ELyIQ/xCANGTcRvjKmIrA3WkvbAgkeMg0SjCFQIDAQABo4IBCjCCAQYwHQYDVR0O
BBYEFJVvEdEfiVb36m31qTJIpIPLlwQjMIHWBgNVHSMEgc4wgcuAFJVvEdEfiVb3
6m31qTJIpIPLlwQjoYGnpIGkMIGhMQswCQYDVQQGEwJwdDEPMA0GA1UECBMGQXZl
aXJvMQ8wDQYDVQQHEwZJbGhhdm8xDTALBgNVBAoTBEhvbWUxDjAMBgNVBAsTBURl
dmVsMSEwHwYDVQQDExhwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHQxLjAsBgkqhkiG
9w0BCQEWH2dhbWl0b0BwbGFuZXRnZWVrLmR5bmlwLnNhcG8ucHSCCQCWulnCiNVU
TjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAIiPOkLa6QPkk2VHmIas
jobvnczZNrA63ygoiSFbBDBtsq+UZOcaKBG1L9z1B2n1in5RcQ0ueWnKaymBw8XY
kANdRLqXy5Y0+/M9htFAiLWQGjbjqnNPrsZ531UBV+Hz+zda2FYZsyddiQEizKK2
d4KZwVEG3jpXFZ2GVRPBcGya
-----END CERTIFICATE-----
subject=/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
issuer=/C=pt/ST=Aveiro/L=Ilhavo/O=Home/OU=Devel/CN=planetgeek.dynip.sapo.pt/emailAddress=teste@planetgeek.dynip.sapo.pt
---
No client certificate CA names sent
---
SSL handshake has read 1140 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 7466A4FF1DCCEB905D40DDD0DE27F5162B82192ADE6A35B4309AB6A920F81EC5
    Session-ID-ctx:
    Master-Key: 2F48EBCFC4134C96571D61598A38AF35B31A6A1C14419484E57F924B16FD8C75B33685A9B3D35957188F2451F823DEF7
    Key-Arg   : None
    Start Time: 1187480851
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
+OK <8539.1187480851@0>
user teste
+OK
pass segredo
+OK
stat
+OK 1 293
list
+OK
1 293
.
retr 1
+OK
Return-Path: <root@planetgeek.dynip.sapo.pt>
Delivered-To: teste@planetgeek.dynip.sapo.pt
Received: (qmail 8456 invoked by uid 0); 18 Aug 2007 23:28:22 -0000
Received: from unknown (HELO planetgeek.dynip.sapo.pt) (192.168.0.101)
by 0 with SMTP; 18 Aug 2007 23:28:22 -0000
Teste do POP3/SSL

.
dele 1
+OK
quit
+OK
closed

Funga :)

Until next...