Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <29515774624.20021223121055@planetolsen.com>
Date: Mon, 23 Dec 2002 12:10:55 -0600
From: James Olsen <jamesml@...netolsen.com>
To: popa3d-users@...ts.openwall.com
Subject: Re[2]: Question about using popa3d and stunnel

Hello Solar,

Thank you for your very quick reply!

SD> All I can say is that people are using popa3d with stunnel and it
SD> works.
SD> The setup that we use at work is based around a patched ancient
SD> version of stunnel, so I am unable to post a sample configuration
SD> myself, but I hope someone else will.
SD> Also, a Google search for "stunnel popa3d" gives pointers to quite a
SD> few other mailing list discussions on this topic, some with sample
SD> configurations.

I've found some references to pop3d and stunnel, but they all seem to
use older versions of stunnel that relied heavily on command-line
options. Even the stunnel.org website (granted, not officially part of
stunnel) documentation and examples are for older versions of stunnel.
The newest version has minimal command-line options and instead has
the configuration in a text file. I've tried to translate the examples
I've seen for the new configuration but I've not done something right.

SD> It's a really good idea to have stunnel running as a dedicated
SD> pseudo-user (I don't know if this still requires patching, it used
SD> to).  There have been numerous security holes discovered in both
SD> stunnel itself and in OpenSSL that it uses.

I attempted to run it as an unprivileged user/group but ran into
permission problems (see logs below). However, the service is only up
for testing for brief periods of time and will ultimately run as
unprivleged user/group once all these issues are worked out.

I wonder how problems running stunnel as a regular user/group may a
problem since popa3d wants to do it's own setuid and setgid and
chroot.

SD> Well, someone might be able to help you if you posted your
SD> configuration (both server and client).

Sorry :) Here is the info:

Output of "stunnel -V":
stunnel 4.03 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6h  5 Dec 2002

Output of "uname -a":
Linux planetolsen 2.4.18 #2 Wed Sep 11 18:12:03 CDT 2002 i686 unknown

libc version: I must confess, I'm not sure if this is right:
/lib/libc-2.2.5.so

Output of "gcc -v":
gcc version 2.95.3 20010315 (release)

I'm using version 0.5.1 of popa3d (latest stable release). I don't
know what has been changed/implemented in any of the stable or the
development releases, there doesn't seem to be any kind of change-log
or revision history on the openwall.com website or in the tarballs.
:(

Here is my configuration file I use when starting stunnel:

=======================
cert=/usr/local/ssl/stunnel.pem
debug=debug
output=/usr/local/ssl/stunnel.out
setgid=unpriv
setuid=unpriv

[pop3s]
#protocol=pop3
accept=995
exec=/usr/local/sbin/popa3d
execargs=popa3d
=======================

Given the above configuration, I get the following message in the
logs:

=======================
Dec 23 10:22:18 www popa3d[22756]: chroot: Permission denied
=======================

popa3d is trying to chroot to /var/empty (the default, which is
compiled into the program)

I'm "newbie" enough I'm not sure how to set this up to work properly
as an unprivileged user. But /var/empty I believe is supposed to be
read/writable only by root if I read the popa3d documentation
properly. Doesn't this rule out running stunnel as an unprivileged
user?

But, in the meantime, to make sure the rest of my configuration is
okay I am temporarily letting it run as root (fire it up, test, shut
it down). And when doing so, the permission denied error goes away and
then I'm faced with this message:

=======================
2002.12.23 10:52:54 LOG7[23964:1024]: pop3s accepted FD=5 from 207.56.32.235:3646
2002.12.23 10:52:54 LOG7[23964:1024]: FD 5 in non-blocking mode
2002.12.23 10:52:54 LOG7[23970:1026]: pop3s started
2002.12.23 10:52:54 LOG5[23970:1026]: pop3s connected from 207.56.32.235:3646
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): before/accept initialization
2002.12.23 10:52:54 LOG7[23970:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:52:54 LOG7[23970:1026]: waitforsocket: ok
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 read client hello A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 write server hello A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 write certificate A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 write server done A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 flush data
2002.12.23 10:52:54 LOG7[23970:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:52:54 LOG7[23970:1026]: waitforsocket: ok
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 read client key exchange A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 read finished A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 write change cipher spec A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 write finished A
2002.12.23 10:52:54 LOG7[23970:1026]: SSL state (accept): SSLv3 flush data
2002.12.23 10:52:54 LOG7[23970:1026]:    1 items in the session cache
2002.12.23 10:52:54 LOG7[23970:1026]:    0 client connects (SSL_connect())
2002.12.23 10:52:54 LOG7[23970:1026]:    0 client connects that finished
2002.12.23 10:52:54 LOG7[23970:1026]:    0 client renegotiatations requested
2002.12.23 10:52:54 LOG7[23970:1026]:    1 server connects (SSL_accept())
2002.12.23 10:52:54 LOG7[23970:1026]:    1 server connects that finished
2002.12.23 10:52:54 LOG7[23970:1026]:    0 server renegotiatiations requested
2002.12.23 10:52:54 LOG7[23970:1026]:    0 session cache hits
2002.12.23 10:52:54 LOG7[23970:1026]:    0 session cache misses
2002.12.23 10:52:54 LOG7[23970:1026]:    0 session cache timeouts
2002.12.23 10:52:54 LOG6[23970:1026]: Negotiated ciphers: DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
2002.12.23 10:52:54 LOG6[23970:1026]: Local mode child started (PID=23971)
2002.12.23 10:52:54 LOG7[23970:1026]: Remote FD=10 initialized
2002.12.23 10:52:54 LOG7[23970:1026]: SSL socket closed on SSL_read
2002.12.23 10:52:54 LOG5[23970:1026]: Connection closed: 5 bytes sent to SSL, 0 bytes sent to socket
2002.12.23 10:52:54 LOG7[23970:1026]: pop3s finished (0 left)

Dec 23 10:52:54 www popa3d[23971]: Didn't attempt authentication
=======================

My email client is TheBat, which natively supports TLS connections to
port 995 (also STARTTLS on port 110) and supports four authentication methods:

Regular, MSN (NTLM), MD5 APOP challenge/response (RFC-1734), and MD5
CRAM-HMAC challenge/response (RFC-2095).

By default, I'm using "regular", which works just fine with regular
POP3. I also tried MSN (NTLM) just to see if it worked, and it failed
as well. I'm fairly certain that TheBat will still attempt to
authenticate - I believe something else has failed and because of that
failure the connection terminates before authentication takes place
and that is why I'm getting a "didn't attempt authentication"
messages.

I'm willing to try a different email client (that is known to work
with stunnel/popa3d) to rule out my email client as the problem if
anyone has any suggestions on what would be good one(s) to try.

I've also tried using the "protocol=pop3" configuration in the stunnel
config file, but then I get this series of messages in the logs:

=======================
2002.12.23 10:33:53 LOG7[22920:1024]: pop3s accepted FD=5 from 207.56.32.235:3621
2002.12.23 10:33:53 LOG7[22920:1024]: FD 5 in non-blocking mode
2002.12.23 10:33:53 LOG7[22922:1026]: pop3s started
2002.12.23 10:33:53 LOG5[22922:1026]: pop3s connected from 207.56.32.235:3621
2002.12.23 10:33:53 LOG6[22922:1026]: Local mode child started (PID=22923)
2002.12.23 10:33:53 LOG7[22922:1026]: Remote FD=10 initialized
2002.12.23 10:33:53 LOG7[22922:1026]: Negotiations for pop3(server side) started
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=10, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=10, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=10, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=10, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=10, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]:  <- +OK.
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=write
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]:  -> +OK. + stunnel..
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: FD=5, DIR=read
2002.12.23 10:33:53 LOG7[22922:1026]: waitforsocket: ok
2002.12.23 10:33:53 LOG7[22922:1026]:  <- ...
2002.12.23 10:33:53 LOG3[22922:1026]: Client does not want TLS
2002.12.23 10:33:53 LOG3[22922:1026]: Protocol negotiations failed
2002.12.23 10:33:53 LOG7[22922:1026]: pop3s finished (-1 left)
=======================

Thanks in for your everyone's help... It is greatly appreciated!

--James

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.