SSL for IMAP, POP3, and SMTP

SSL for IMAP, POP3, and SMTP

Postby Pugglewuggle » Tue Nov 04, 2008 10:06 pm

Hi,

I created a new self-signed certificate in AMS so I can have secure SMTP and IMAP sessions between our smartphones and roaming laptops when they're outside the network.

Testing from inside the network on both SMTP and IMAP (separately and together), I used default SSL ports in AMS and selected the certificate. I tried using implicit, explicit, and explicit SSL v 2/3 w/ TLS. I made sure Outlook had the right ports and SSL specified for the test account and I cannot get it to work in explicit SMTP mode.

Here's what I've tested so far and the results the tests:

Worked IMAP explicit: 143 TLS
Worked IMAP implicit: 993 SSL
Worked POP3 explicit: no option in Outlook to test
Worked POP3 implicit: 995 SSL
Failed SMTP explicit: 25 TLS
Worked SMTP implicit: 465 SSL

I cannot seem to get explicit SMTP SSL working in any situation with any client. Here is the message I get kicked back from Outlook when trying SMTP port 25 with TLS:

Send test e-mail message: Your server does not support the connection encryption type you have specified. Try changing the encryption method. Contact your mail server administrator or Internet service provider (ISP) for additional assistance.


Also, when testing with Outlook Mobile on a Windows Mobile 6 smartphone, it appears that AMS will accept a regular non-encrypted IMAP connection even if the Use SSL boxes in AMS are checked. According to my firewall log, the phone is connecting straight to 143 and doesn't even try 993. I assume this means that WinMo Outlook must be used with Explicit? Is there a way to verify if that traffic is encrypted without doing a packet capture? Maybe in logs somewhere?

Also, why does the connection not fail if I have an encryption method enabled on the server and then phone doesn't connect using SSL? - is there a way to drop all connections if not encrypted OR just force SSL only (aka require SSL)? I understand this isn't an option for SMTP as it would block all incoming mails. For incoming mail servers though (POP and IMAP) I would think there should be a way to configure this in AMS. Is this the case?

Also, If I accept the certificate (it says there is an error - I assume this is because it's self-signed and not verified by a root CA - right?) Do you have any recommendations for a CN? Just make it whatever? Or should it match the host name being accessed (I suppose this doesnt' matter since the cert is self-signed anyways).

Thanks in advance!
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: SSL for IMAP, POP3, and SMTP

Postby rob » Wed Nov 05, 2008 12:26 pm

I have just retested explicit SSL on the SMTP and it seems to work fine with my version of Outlook (2003). What may help is if you enable the option "Disable SSL 2 Support" in the General/Security options. I should note that explicit mode basically means that the client has the option of enabling the SSL if they choose to on the non-SSL port (this is called TLS). This means even though you may have enabled explicit SSL, the client may still choose to use unencrypted transmissions. As to the CN, you should indeed set this to the host domain of the server the SSL certificate will be hosted on, but generally the warning is purely about the certificate not being signed (the CN not matching the host address will also trigger this same error). Some clients give the option of installing the certifciate and 'trusting' it from there on, avoiding the warning.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: SSL for IMAP, POP3, and SMTP

Postby Pugglewuggle » Wed Nov 05, 2008 6:10 pm

Hi Rob,

I did disable that and it still won't work. I'm using Outlook 2007 on my workstation to test, so I doubt there are any major differences in the way that works. Do you have any suggestions?

The reason I need explicit SSL is that the smartphones don't allow you to select a port - they automatically try for SSL.
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: SSL for IMAP, POP3, and SMTP

Postby rob » Thu Nov 06, 2008 11:05 am

Its possible that something is intercepting your SMTP connections, such as AV, Spam Filter Firewall or even a router. Often such interceptions (Cisco routers are the most common) simplify the SMTP transfer and remove the extended options. This mainly is an issue for users trying to use SMTP Authentication but this would also effect TLS/Explicit SSL. May be worth looking into this, and also examinig the logs to see if Outlook ever tries to initate a TLS connection.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: SSL for IMAP, POP3, and SMTP

Postby Pugglewuggle » Fri Nov 07, 2008 10:21 am

Everything here where I'm testing is on the same subnet of a LAN with OS firewalls off... I don't think anything's blocking it.
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: SSL for IMAP, POP3, and SMTP

Postby rob » Fri Nov 07, 2008 11:10 am

The only thing extra I can think to suggest is that you try updating the SSL DLL's used by AMS. Basically the software uses OpenSSL to manage SSL connectivity, and so if there is a bug or incmopatability with the SSL methods, these may have been fixed in later versions that we provide. You should be able to obtain these files from openssl.org, and generally newer versions should work with our existing version. The 2 files that can be updated are ssleay32.dll and libeay32.dll.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: SSL for IMAP, POP3, and SMTP

Postby Pugglewuggle » Fri Nov 07, 2008 11:51 pm

I'll do that and let you know how it works out. Should I completely quit AMS before updating these?
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: SSL for IMAP, POP3, and SMTP

Postby rob » Mon Nov 10, 2008 11:17 am

Yeah thats right, AMS needs to be closed down while patching the files. Good luck!
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm

Re: SSL for IMAP, POP3, and SMTP

Postby Pugglewuggle » Wed Nov 12, 2008 8:41 pm

Hi,

Where do you find these files? I downloaded and compiled the new openSSL source and all I could find was libeay31.dll

ssleay32.dll wasn't there.
Pugglewuggle
 
Posts: 89
Joined: Thu Sep 20, 2007 6:38 pm

Re: SSL for IMAP, POP3, and SMTP

Postby rob » Thu Nov 13, 2008 11:08 am

If I remember correctly we obtained them from openssl.org, but a quick look seems to show they have removed the links to precompiled versions of the DLLs. I am sure using google you should be able to find secure place to download these files (a quick search didn't yeild any results for myself I must be honest). In the meantime I have made a note for us to update these files ourselves but of course the soonest you could expect this would be the next regular maintaince update (due within the next couple of months). If do you obtain these files, I would recommend keeping a copy outside of the AMS installation folder because we do not change the SSL files, the old files will overwrite the new ones most likely on the next update.
rob
 
Posts: 415
Joined: Mon Sep 10, 2007 2:34 pm


Return to General

Who is online

Users browsing this forum: No registered users and 6 guests

cron