Topic: Secure IMAP and POP3

[8stargen]

I've installed the Secure email contrib from pagefault. However, when I enable public access for both these services it doesn't open up the port for external access! Do I have to manually forward the ports?

I am running SME 6.01

Cheers,
Tim

[NickR]

How have you determined that the ports aren't open?  Try running this command:

# iptables -L | grep pop3s

I get this on my working secure email server:

ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3s

If you do too, then you need to look at your router settings.

[8stargen]

Ok, I checked the IPTables as you suggested, and the port turns out to be open. Checked the router. No problem there. So I logged in via SSH and tried

Code: [Select]

telnet localhost 143
Worked fine. So then I tried

Code: [Select]

telnet localhost 993
And it returned

Code: [Select]

Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Which is the same message I get when trying to log in via imaps from my workstation. Suprise suprise!

This suggests to me that the correct process isn't running or something. I'm using SME 6.01 and have installed the latest RPM's from pagefault. Why is it doing this? Could it be conflicting with another package I have installed? Are there any knows conflicts?

Cheers,  

[8stargen]

Seems that ssl-imap wasn't running. Isn't the process supposed to be enabled when public / private access is switched on via the web panel?

[NickR]

You have actually turned the service on in the "Secure e-mail settings" web-panel, haven't you?

[8stargen]

Yes! I have set it to public access.
Logging in to the shell and running

Code: [Select]

/etc/init.d/ssl-imapd start
gets everything working perfectly, why isn't the web panel doing this for me though??

[NickR]

Dunno - what does running this give you?

# /sbin/e-smith/config show ssl-imap

[mrjhb3]

I too began playing with this tonight.  I have installed this on a fresh 6.01-01 server.  Here is what I am experiencing.  Upon initial install and configuration, the SSL portions seem to be started.  (I will reload and test this again)  Afterwards, if you change to disable and save, it doesn't stop the services.  465, 993 and 995 are still listening.  If you turn them on for either private or public, 110 and 143 are still listening.  My take was that if I enabled these services, then 143 and 110 should be stopped and 993 and 995 should listen.  If I turn them off, 993 and 995 should stop and 110 and 143 should listen.  The same for ssmtp either 25 and 465 should listen or just 465 depending on the choices.

Have I mis-understood how this should be working?

Thanks,

JB

[NickR]

You are mis-understanding their purpose. They are there to augment the existing services, not to replace them.  You would typically use the secure services when away from your server & connecting over the internet.  It doesn't make much sense to force all the users to use secure services on the LAN just because 1 user needs secure external access, does it?

If you turned off SMTP on port 25, how would any mail get delivered to your server from the outside world?

[mrjhb3]

Turning off 25, that was just me being stupid last night.  Maybe too much during the game.

So, if I am understanding what you are telling me, the only thing that really tells me if this is working, is if I configure my client to use the secure ports and it works.  I say that because the unsecured ports are still open and I can still connect to them as well.  So this may just be a mindset thing on my end and a mis-understanding of how this is/was supposed to work.

But, there is still the issue with setting the services to disabled and the services not being shutdown.

I'll do more testing.

Thanks for your response NickR,

JB

[NickR]

So, if I am understanding what you are telling me, the only thing that really tells me if this is working, is if I configure my client to use the secure ports and it works.  I say that because the unsecured ports are still open and I can still connect to them as well.  So this may just be a mindset thing on my end and a mis-understanding of how this is/was supposed to work.
JB

I suspect that you aren't testing the external POP3 & IMAP ports correctly.  By default they are not open to the world, only the LAN.  If you grep iptables for pop3 or imap you'll see that they should be denylog'd & only their secure versions are ACCEPT.

[mrjhb3]

But, I believe I am testing it correctly and seeing what I am seeing.

From my system, here are the settings:
[root@test601 /]# /sbin/e-smith/config show ssl-imap
ssl-imap=service
    access=public
    status=enabled
[root@test601 /]# /sbin/e-smith/config show ssl-popd
ssl-popd=service
    access=public
    status=enabled
[root@test601 /]#    
ssl-smtpfront-qmail=service
    access=public
    authentication=enabled
    status=enabled

[root@test601 etc]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

[root@test601 etc]# more e-smith-release
SME Server 6.0.1-01

Therein lies the problem.  You have something in your iptables and I don't.  Is your install on a 6.0.1-01 release?

I will now check why the iptables info isn't getting updated.

JB

[NickR]

Therein lies the problem.  You have something in your iptables and I don't.  Is your install on a 6.0.1-01 release?
JB

Your iptables is completely hosed unless you are running SME as server only. You are running server gateway, right?

Yes, mine is 6.01-01.