Using UW IMAP and Xinetd For Dual SSL and Plaintext Support
First off, Pine rocks when it comes to reading mail quickly, particularly on a server where a GUI is not available. Second of all, it often doesn't come with GNU/Linux distributions anymore. I suppose that part of the problem is that pine includes a version of IMAP that can cause problems if it coexists with the various one-size-fits-all approach to IMAP, cough, cyrus. I often wish to simply set up webmail over SSL, yet allow direct transfer to a location, like an office via a NATed address to get to the straight IMAPS server. Often, the SSL cert is self-signed, since it is simply to encrypt mail, not used for ordering, so many of the webmail packages have problems with this. By using Xinetd, I can control what hosts connect from where, and assign special binaries to the services. UW IMAP works well for this. What we need to do this is an IMAP binary with SSL support, and one without. It appears at first glance that after the new version of pine came out in response to this vulnerability, that IMAP now wants to run with no unencrypted plaintext if SSL is available. Besides all that, the binary is smaller without the SSL code. In this article we will compile pine/IMAP for both SSL and plaintext/no SSL, and configure xinetd to provide both IMAP locally and IMAPS for an external client(s).
We are compiling and configuring this on a CentOS / Red Hat v 4 system.
Grab the source and use options at the build line that point to your ssl cert directory:
[pine4.64]# ./build SSLCERTS=/cpath/conf/ssl.crt/ SSLINCLUDE=/usr/include/openssl/ slx
make args are CC=cc 'SSLCERTS=/cpath/conf/ssl.crt/'
'SSLINCLUDE=/usr/include/openssl/' slx
File /cpath/conf/ssl.crt//factory.pem is missing
This might indicate that CA certs did not get properly
installed. If you get certificate validation failures
in Pine, this might be the reason for them.
Including SSL functionality
Making c-client library, imapd, and ipopd
.
.
.
Links to executables are in bin directory:
text data bss dec hex filename
3690194 290728 692280 4673202 474eb2 bin/pine
655356 8280 2752 666388 a2b14 bin/mtest
690604 8368 67476 766448 bb1f0 bin/imapd
201730 5208 2744 209682 33312 bin/pico
199385 5048 2776 207209 32969 bin/pilot
843131 12556 4428 860115 d1fd3 bin/rpdump
844995 12556 4428 861979 d271b bin/rpload
652844 8272 1724 662840 a1d38 bin/mailutil
650518 8276 2752 661546 a182a bin/ipop2d
655024 8272 1888 665184 a2660 bin/ipop3d
Done
[pine4.64]#
[pine4.64]# cd bin
[bin]# cp imapd /usr/sbin
[bin]#
|
We are using a self-signed SSL cert for Apache; however, this can be copied to imapd.pem, which IMAPD expects. The certs aren't really different.
Just replace cpath, etc., with the path to your Apache certs.
We also need a non-SSL version of IMAP:
[pine4.64]#
[pine4.64]# make clean
./build clean
make args are CC=cc clean
Cleaning c-client and imapd
make[1]: Entering directory `/usr/local/src/pine4.64/imap'
Removing old processed sources and binaries...
sh -c 'rm -rf an ua OSTYPE SPECIALS c-client mtest imapd ipopd mailutil
.
.
.
[pine4.64]#
[pine4.64]# ./build SSLTYPE=none slx
make args are CC=cc slx
Making c-client library, imapd, and ipopd
eval make CC=cc SSLTYPE=none SPECIALS= slx
make sslnone
make[1]: Entering directory `/usr/local/src/pine4.64/imap'
make[1]: `sslnone' is up to date.
make[1]: Leaving directory `/usr/local/src/pine4.64/imap'
Applying an process to sources...
tools/an "ln -s" src/c-client c-client
tools/an "ln -s" src/ansilib c-client
.
.
.
GS`
Links to executables are in bin directory:
text data bss dec hex filename
3681257 290448 692248 4663953 472a91 bin/pine
646166 8032 2720 656918 a0616 bin/mtest
681446 8088 67444 756978 b8cf2 bin/imapd
201730 5208 2744 209682 33312 bin/pico
199385 5048 2776 207209 32969 bin/pilot
833898 12276 4396 850570 cfa8a bin/rpdump
835794 12276 4396 852466 d01f2 bin/rpload
643686 7992 1692 653370 9f83a bin/mailutil
641332 7996 2720 652048 9f310 bin/ipop2d
645834 7992 1856 655682 a0142 bin/ipop3d
Done
[pine4.64]# cp bin/imapd /usr/sbin/imapdnossl
|
Set up xinetd:
[root@imaptest ~]# tail -n 6 /etc/xinetd.d/imaps
server = /usr/sbin/imapd
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
only_from = 66.44.55.1
}
[root@imaptest ~]#
[root@imaptest ~]# tail -n 6 /etc/xinetd.d/imap
server = /usr/sbin/imapdnossl
log_on_success += HOST DURATION
log_on_failure += HOST
disable = no
only_from = 127.0.0.1
}
[root@imaptest ~]#
|
The only_from line is the key, here. 66.44.55.1 is the NATed office address that uses regular email clients over SSL, and 127.0.0.1 is for the web mail program that authenticates with plaintext. Note that you should only do this via a web mail app that runs over SSL. That is, configure SSL for Apache, and only allow the webmail app to run from https://blah. Restart xinetd:
[root@imaptest ~]# /etc/init.d/xinetd restart
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
[root@imaptest ~]#
|
Here are the IMAP settings we use for Squirrel Mail:
IMAP Settings
--------------
4. IMAP Server : localhost
5. IMAP Port : 143
6. Authentication type : login
7. Secure IMAP (TLS) : false
8. Server software : uw
|
Make sure that in /var/log/maillog, that when you check mail from the web and from a remote client, that the right binary is running via xinetd:
Jan 13 17:06:14 main imapdnossl[11728]: imap service init from 127.0.0.1
Jan 13 17:06:14 main imapdnossl[11728]: Login user=sslmail
host=localhost.localdomain [127.0.0.1]
Jan 13 17:06:14 main imapdnossl[11728]: Logout user=sslmail
host=localhost.localdomain [127.0.0.1]
Jan 13 17:06:54 main imapd[11734]: imaps SSL service init from 66.44.55.1
Jan 13 17:06:54 main imapd[11734]: Login user=mailuser host=[66.44.55.1]
Jan 13 17:06:54 main imapd[11734]: Logout user=mailuser host=[66.44.55.1]
|
|
|