1

I have been fighting with the ancient GNU Mailutils 0.6 for quite a while now. I am supposed to set up the IMAP4d service from this version for an IT security exercise. I may not update the program, but I can configure it as I like.

So far, I managed to get the service working on my virtual machine but all the traffic is transferred in plaintext, including usernames and passwords. Of course, that's no good for security. It seems that Mailutils 0.6 already supports TLS so I'd like to enable it for the service. But I have no idea how to do that.

The only docs I have found for that version are the ones that come with the source code (from here). There is a chapter about encryption but it's not very helpful:

These options control TLS/SSL encryption in imap4d and pop3d daemons.

--ssl-cert {file}
This option specifies the file name of the server side SSL certificate (accepts PEM format).

--ssl-key {file}
This option specifies the file name of the server side private SSL key (accepts PEM format). The key must be protected with 0600 file permissions (u=rw,g=,o=), otherwise imap4d or pop3d daemons will refuse to support TLS/SSL encryption.

--ssl-cafile {file}
This option specifies a file containing the list of trusted CAs (PEM list) in order to verify client's certificates. This option is not required.

At least that tells me that there really is TLS support for IMAP4d. But not how to make use of it. I couldn't find anything else in the docs.

What I have done so far:

- downloaded the source, compiled and installed it

./configure --with-gnutls
make
make install

- created a config file mailutils.rc (I am not sure about the last line):

:mailbox --mail-spool /var/spool/mail
:logging --log-facility mail
imap4d --ssl-cert /root/CA/imap.cert.pem --ssl-key /root/CA/imap.key.pem

- configured inetd to start IMAP4d

50123    stream    nowait    root    /usr/local/sbin/imap4d    imap4d

It runs on the specified port, but obviously without using TLS. I tried connecting with openssl s_client

openssl s_client -connect 192.168.178.29:50123
CONNECTED(00000003)
5769:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:601:

I am pretty sure, I'm missing something. Anyone here who actually has some experience with such outdated software and could help me?

Thanks in advance!

Community
  • 1
j0ker
  • 173
  • 1
  • 6

1 Answers1

-1

For most common uses, setting up a secure link requires that the server have something to present to the client to identify itself. This requires a key, used for doing crypto math, and a certificate, which is public. The certificate contains information about the key, so that only a system with the key can prove to a client that it is authorised to use that cert, and it also contains information about the identity of the system, such as hostname. This information is then signed by "another" certificate, which is the "Issuer" in the relationship, and that issuer is known as a "Certificate Authority" (CA). Their cert should be (directly or indirectly) trusted by the clients. There's then a bunch of widely accepted CAs, accepted by most browsers and mail clients. You can bypass this step for testing with a self-signed certificate.

(This ignores cert-less operation and a whole bunch of less common modes; the above, using something called the X.509 PKI (Public Key Infrastructure) is by far the most common.)

So, at a minimum you generate a (PEM format) key and certificate and configure them in --ssl-key and --ssl-cert. You can also place the a whole bunch of CA certs together in a file, if you're going to require "client certificates", whereby both sides of the TLS session have to present certs.

Various sites will tell you how to create keys and certs; several years back I wrote: http://lopsa.org/SSLIntro

Phil P
  • 3,080
  • 1
  • 16
  • 19