Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 24 Dec 2002 19:21:11 +0300
From: Solar Designer <solar@...nwall.com>
To: popa3d-users@...ts.openwall.com,
	James Olsen <jamesml@...netolsen.com>
Subject: Re: Question about using popa3d and stunnel

On Mon, Dec 23, 2002 at 12:10:55PM -0600, James Olsen wrote:
> SD> Well, someone might be able to help you if you posted your
> SD> configuration (both server and client).
> 
> Sorry :) Here is the info:
> 
> Output of "stunnel -V":
> stunnel 4.03 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6h  5 Dec 2002

Is it possible to build stunnel without pthreads these days?  If so,
I'd recommend everyone to do so.

> I'm using version 0.5.1 of popa3d (latest stable release). I don't
> know what has been changed/implemented in any of the stable or the
> development releases, there doesn't seem to be any kind of change-log
> or revision history on the openwall.com website or in the tarballs.
> :(

popa3d change logs are now only available in the Owl package, or you
may get them from the Owl CVS or in the FTP'able Owl source tree.

But I understand the need for change logs in the portable popa3d
package.  Your vote counted.

There have been no changes relevant to the problem you're seeing,
though.

> Here is my configuration file I use when starting stunnel:
> 
> =======================
> cert=/usr/local/ssl/stunnel.pem
> debug=debug
> output=/usr/local/ssl/stunnel.out
> setgid=unpriv
> setuid=unpriv
> 
> [pop3s]
> #protocol=pop3
> accept=995
> exec=/usr/local/sbin/popa3d
> execargs=popa3d
> =======================

Looks reasonable at first glace, but as I've never dealt with a
version of stunnel this recent I can't know if it's right.

Is it still possible to have *inetd accept connections, then start
stunnel and have it start popa3d?  This would be slower, but likely
more reliable.

> Given the above configuration, I get the following message in the
> logs:
> 
> =======================
> Dec 23 10:22:18 www popa3d[22756]: chroot: Permission denied
> =======================
> 
> popa3d is trying to chroot to /var/empty (the default, which is
> compiled into the program)

Hmm.  If stunnel starts popa3d as the "unprivileged" user, then that
is wrong.  What it should be doing is a sequence like:

1. Start up as root.
2. fork/exec popa3d.
3. Drop to the "unprivileged" user and do all the SSL work, passing
data over sockets and pipes.

Of course, this is likely not compatible with threads.  I hope they
at least do the right thing when built without pthreads?

> I'm "newbie" enough I'm not sure how to set this up to work properly
> as an unprivileged user. But /var/empty I believe is supposed to be
> read/writable only by root if I read the popa3d documentation
> properly.

That's correct.

> Doesn't this rule out running stunnel as an unprivileged user?

No.  It works here (patched ancient stunnel), see above.

> But, in the meantime, to make sure the rest of my configuration is
> okay I am temporarily letting it run as root (fire it up, test, shut
> it down). And when doing so, the permission denied error goes away and
> then I'm faced with this message:

> 2002.12.23 10:52:54 LOG6[23970:1026]: Local mode child started (PID=23971)
> 2002.12.23 10:52:54 LOG7[23970:1026]: Remote FD=10 initialized
> 2002.12.23 10:52:54 LOG7[23970:1026]: SSL socket closed on SSL_read

Well, something wrong happens at this stage and it's not seen in the
log what exactly that is.

Maybe strace -fF it all?

> My email client is TheBat, which natively supports TLS connections to
> port 995 (also STARTTLS on port 110) and supports four authentication methods:
> 
> Regular, MSN (NTLM), MD5 APOP challenge/response (RFC-1734), and MD5
> CRAM-HMAC challenge/response (RFC-2095).
> 
> By default, I'm using "regular", which works just fine with regular
> POP3.

I think it should work.

> I also tried MSN (NTLM) just to see if it worked, and it failed
> as well.

It shouldn't work.

> I'm fairly certain that TheBat will still attempt to
> authenticate - I believe something else has failed and because of that
> failure the connection terminates before authentication takes place
> and that is why I'm getting a "didn't attempt authentication"
> messages.

That's right.  It seems that stunnel doesn't pass all of the data
to/from popa3d.

> I'm willing to try a different email client (that is known to work
> with stunnel/popa3d) to rule out my email client as the problem if
> anyone has any suggestions on what would be good one(s) to try.

I know people are using Outlook Express with this.

> I've also tried using the "protocol=pop3" configuration in the stunnel
> config file, but then I get this series of messages in the logs:

I don't know what this means for current stunnel.  Maybe STLS?  Then
it should be on port 110, not 995.

-- 
/sd

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.