22 Jan
22 Jan
3:22 p.m.
Am 22.01.2013 15:56, schrieb Theodotos Andreou:
Any idea what I am missing?
Linebreaks! :)
Why do you want to have TLS on port 995 at all?
$ openssl s_client -connect pop.example.com:995
Unless you use "-starttls pop3", this will always try to negotiate an
explicit SSL session.
My guess is that you want
$ openssl s_client -connect pop.example.com:110 -starttls pop3
and
$ openssl s_client -connect pop.example.com:995
to succeed?
24 Jan
24 Jan
6:26 a.m.
On 01/22/2013 05:22 PM, Matthias Hunstock wrote:
To get an idea of our setup. There is a dovecot backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
Why does ssl_listen works and tls_listen isn't?
> ______________________________________________
> Perdition-users mailing list
> Perdition-users(a)vergenet.net
> http://lists.vergenet.net/listinfo/perdition-users
>
Am 22.01.2013 15:56, schrieb Theodotos Andreou:
Sorry about that! Some really ugly bug in my test setup! :P
Any idea what I am missing?
Linebreaks! :)
Why do you want to have TLS on port 995 at all?
> $ openssl s_client -connect pop.example.com:995
Isn't port 995 assigned to
pop3s? I am using this because we want to
exclude unecrypted connections
Unless you use "-starttls pop3", this will always try to negotiate an
explicit SSL session.
That's the point we want SSL (TLS actualy) only sessions.
STARTTLS
implies that the connection starts unecrypted and then you request to be
encrypted using STARTTLS. This will allow users to use the connection
unecrypted if they choose not to use STARTTLS. Right?
My guess is that you want
$ openssl s_client -connect pop.example.com:110 -starttls pop3
We do not want this
as this will allow unencrypted connections.
and
$ openssl s_client -connect pop.example.com:995
to succeed?
We do want this but allow only TLS (not SSLv2 or SSLv3)
9:15 a.m.
Am 24.01.2013 07:26, schrieb Theodotos Andreou:
Yes, it is.
> $ openssl
s_client -connect pop.example.com:995
Isn't port 995 assigned to pop3s? I am
using this because we want to
exclude unecrypted connections That's the point we want SSL (TLS actualy) only
sessions. STARTTLS
implies that the connection starts unecrypted and then you request to be
encrypted using STARTTLS. This will allow users to use the connection
unecrypted if they choose not to use STARTTLS. Right?
We do want this but allow only TLS (not SSLv2 or
SSLv3)
Ah ok. So there was a confusion of TLS and STARTTLS. You meant TLS as
successor of SSLv3. In my opinion, all options in perdition being named
something with "tls" refer to STARTTLS.
To get an idea of our setup. There is a dovecot
backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
To forbid SSLv2 and SSLv3 you should have a look at the option
ssl_listen_ciphers and [1]. Alternatively, to be sure, you could change
the used crypto library, e.g. compile it without support for SSLv2/3.
[1] http://www.openssl.org/docs/apps/ciphers.html
9:45 a.m.
Thanks for the support Mathias.
I will try that.
On 01/24/2013 11:15 AM, Matthias Hunstock wrote:
Am 24.01.2013 07:26, schrieb Theodotos Andreou:
Yes, it is.
<html>
<body>
<img src="http://new.cut.ac.cy/images/environmentalSign.gif"/>
</body>
</html>
> $
openssl s_client -connect pop.example.com:995
Isn't port 995 assigned to pop3s?
I am using this because we want to
exclude unecrypted connections That's the point we want SSL (TLS actualy)
only sessions. STARTTLS
implies that the connection starts unecrypted and then you request to be
encrypted using STARTTLS. This will allow users to use the connection
unecrypted if they choose not to use STARTTLS. Right?
We do want this but allow only TLS (not SSLv2 or SSLv3)
Ah ok. So there was a
confusion of TLS and STARTTLS. You meant TLS as
successor of SSLv3. In my opinion, all options in perdition being named
something with "tls" refer to STARTTLS.
To get an idea of our setup. There is a dovecot
backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
To forbid SSLv2 and SSLv3 you should have a look at the option
ssl_listen_ciphers and [1]. Alternatively, to be sure, you could change
the used crypto library, e.g. compile it without support for SSLv2/3.
[1] http://www.openssl.org/docs/apps/ciphers.html
9:47 a.m.
On Thu, Jan 24, 2013 at 08:26:21AM +0200, Theodotos Andreou wrote:
To get an idea of our setup. There is a dovecot
backend which is
configured to accept cleartext connections. We want perdition to accept
TLS only connections and talk to dovecot in cleartext. Is this possible?
We have a similar setup. Here our settings:
Port 110:
protocol POP3
ssl_mode tls_listen,tls_listen_force
Port 995:
protocol POP3S
outgoing_port 110
ssl_mode ssl_listen
HTH,
Andreas
--
! Andreas Jobs Network Operation Center !
! Ruhr-Universitaet Bochum !
! The only way to clean a compromised system is to flatten and rebuild. !
4111
days inactive
4113
days old
5 comments
5 participants
participants (5)
-
Andreas Jobs -
Matthias Hunstock -
Theodotos Andreou -
Theodotos Andreou -
Theodotos Andreou