STARTTLS support over non SSL connection

For all users, who don't speak German!

Moderator: Forum-Team

STARTTLS support over non SSL connection

Beitragvon zespri » 1. Jul 2011, 06:42

Hello,

does Spamihilator support TLS connections over non-SSL 143/110 port by using STARTTLS/STLS commands?

I was not able to find this option am I missing something?

In Thunderbird, if I specify STARTTLS I'm getting "Unable to establish TLS connection to POP3 server." The connection coming thought all right if not using Spamihilator. Port is standard (110).

Danke,
Andrew
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 1. Jul 2011, 11:21

Hello zespri!

When it comes to SSL/TLS setting up Spami is a liitle bit tricky.

In a nutshell:
Once Spami sits in the communication chain the SSL/TLS settings in your mailclient only apply for the local connection to Spami and NOT for the connection between Spami and the actual Mailserver.

It's usually perfectly safe to disable SSL/TLS for the connection with Spami since it's only local.
The SSL/TLS settings for the connection between Spami and the actual mailserver can be changed/viewed within Spami:
http://wiki.spamihilator.com/doku.php?i ... figconnssl
Usually you don't have to mess with them, during the first connection with the mailserver Spami automatically tries to establish SSL/TLS if available.

Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 1. Jul 2011, 11:39

Hello Quellcore,

I had studied the wiki page you linked thoroughly before posting my question, unfortunately it did not help me.

>>Once Spami sits in the communication chain the SSL/TLS settings in your mailclient only apply for the local connection to Spami and NOT for the connection between Spami and the actual Mailserver

This is understandable, however there surely should be away to control TLS between Spami and the actual Mailserver

>>It's usually perfectly safe to disable SSL/TLS for the connection with Spami since it's only local.
I have no problem with that as long as it works. You see, if I disable TSL in the mailclient, Spami does not know to send STLS command to the server to start the TSL session, and this is my problem.

>>The SSL/TLS settings for the connection between Spami and the actual mailserver can be changed/viewed within Spami. Usually you don't have to mess with them, during the first connection with the mailserver Spami automatically tries to establish SSL/TLS if available.

Quellcore, as you might know there are two distinct ways a connection can occur between a mailclient and a server via SSL/TLS:
1) You connect to a SSL port (995) with a secure TLS session from the get-go
2) You connect to a non-ssl port (110) with unsecured connection first, and then you convert your connection to secure TSL connection by issuing STLS command to the POP3 server. This still happens via original port (110).

My problem here is that the server I'm connecting to does NOT support the ssl-port, but does REQUIRE a TSL session via non ssl-port. When sent CAPA it returns STLS capability among all and does not accept credentials unless STLS started.

I can't find an option, among those, that you point out, that allow my mail client to connect via Spami, to satisfy the requirement outlined above.

Spami supports TSL connections from the get-go, via an ssl port, but as far as I can tell it does not support the STSL command on a normal (non-ssl) session to start a TSL session on non-ssl port.
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 1. Jul 2011, 17:28

Hello zespri!

I'm not familiar with the different SSL/TLS implementations, but Spami supports SSL/TLS on any port.

You can change SSL/TLS behaviour for each "known host" within Spami:
http://wiki.spamihilator.com/doku.php?id=en:configconnssl
Just enable "Automatically enable SSL/TLS if available" and check or change the entry in the "Known hosts" list.
Known hosts... hat geschrieben:Allows you to manually specify which mail servers support SSL/TLS and which do not.


Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 1. Jul 2011, 21:54

Hello Quellcore,

>>You can change SSL/TLS behaviour for each "known host" within Spami. Just enable "Automatically enable SSL/TLS if available" and check or change the entry in the "Known hosts" list.

yes, I did also play with this settings and it seems, that if you do check "Secure connection over TSL/SSL" button for a particular host it tries to establish the TSL session with it over specified port (POP3S, not POP3)form the start, and fails because the server listent on POP3, not POP3S. If you don't check the check box, it does connect on POP3, but the server reject authentication, since it's sent before switching to STLS.

I could find no way to make spami to connect with POP3 (not POP3S) first, and then use STLS to establish TLS session.

>>Spami supports SSL/TLS on any port.
Well, I understand that, in the respect that any port number can be used. This is true. What I can't seem get to work is to establish secure connection over non-secure POP3 (not POP3S) port.

>>I'm not familiar with the different SSL/TLS implementations
Do you know if anyone can help me here, as my question seems to be down to how this is implemented in Spami specifically? I'd like to talk to someone who understand the difference in establishing secure session via POP3S from the start, and establishing non secure session via POP3 and the switching to secure mode with STLS command.

Quellcore, if you could get the right person to have a look at my problem, I'd be forever grateful, and I do appreciate the time you spent on answering me.
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 1. Jul 2011, 22:15

Hello zespri!

The only person who can explain Spami's implementation of the SSL/TLS feature is the one and only author of Spami, Michel Kraemer
He is very busy right now and is not visiting the forum on a daily basis these days, something called like "real life" is preventing him from being around more often these days.
You can try to send him a PN, but please do not get offended if you would not get an answer right away.

I do believe that you might have found a bug or at least a missing feature :wink: .

Just to get this straight:
Does STARTTLS equal STLS :?:

Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 1. Jul 2011, 22:28

Quellcore hat geschrieben:Just to get this straight:
Does STARTTLS equal STLS :?:
Quellcore


It's called STARTTLS in IMAP and it's called STLS in POP3. But what they do is essentially the same.

I had a friend who had a severe case of "real life" too, so I know how that can be. Thank you for pointing me at Michel's direction. And thank you again for all your help.
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 2. Jul 2011, 06:09

I just wrote the following PM to Michel. I'm posting the text here for reference if someone has the same problem:

Hello Michel,

I was recommended to write to you in this thread:

viewtopic.php?f=22&t=8542

My problem is as follow. The mail server I want to connect to does not support SSL/TLS port, but does require TLS connection, for authentication. Normally it's accomplished buy STARTTLS/STLS command from the client to server, after connecting on non-SSL port.

I can't get Spamihilator to work under this conditions. It works perfectly over SSL port, when connection started with TSL from the beginning, but it does not seem to be able to relay STARTTLS/STLS command from the client or issue this command itself to convert non secure session to secure.

When connecting to my mail POP3 server and issuing CAPA command, I see that STLS capability is returned. However in the SERVER.LOG it does not seem that Spamihilator issues the CAPA command at all. CLIENT.LOG shows that the mail client does issue CAPA, and spamihilator replies to it without listing STSL capability. As the result the client refuses to connect, as I specify STARTTSL in the mail client options.

This is the client log:
Client Log started at: 2/07/2011 - 17:05:49
17:05:49 S: +OK Spamihilator 0.9.9.53 ready
17:05:49 C: CAPA
17:05:49 S: +OK These are my capabilities
17:05:49 S: TOP
17:05:49 S: USER
17:05:49 S: SASL PLAIN
17:05:49 S: UIDL
17:05:49 S: IMPLEMENTATION Spamihilator0.9.9.53
17:05:49 S: .

In the server log there is nothing for this time interval, so I'm assuming that the client does not receive STSL CAPA and refuses to continue, as I specified STARTTSL option.

Could you please advise if there is a way to make Spamihilator work under the described scenario.
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 3. Jul 2011, 15:34

Hello zespri!

Again,
Thunderbird's settings regarding a secure connection only apply to the local connection between Thunderbird and Spami, so changing this to StartTLS won't help you.
What you need/want is a setting within Spami to enable StartTLS for a specific Server.

Something like this: (I put this together out of Screenshots from Spami and Thunderbird)
SSL-TLS.png
SSL-TLS.png (50.24 KiB) 6326-mal betrachtet


Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 4. Jul 2011, 16:27

Hello zespri!

The important log is the server.log which is logging the communication between Spami and the Mailserver. While Spami is running the logs are being written to temp files in the same folders. When you end Spami the content of the temp logs will be added to the server.log and client.log.

Also, if you have an Admin-Account for this Server, would you be able to provide a test account for me? I would like to play with it if possible.


Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 4. Jul 2011, 19:43

Hallo zespri!

I don't know why i didn't try to search in this forum earlier, but i finally did and found an answer from Michel from 2007:
This is the Thread: http://www.spamihilator.com/forum/viewtopic.php?p=41408#p41408
And here is his answer in German which would translate to "unfortunately STARTTLS is not supported in Spami"
michel hat geschrieben:Spamihilator unterstützt STARTTLS bei POP3 leider nicht.


Looking into the ChangeLog for changes to SSL/TLS functionality didn't reveal anything related to STARTTLS, so this 4 year old answer might still apply.

I would still like to try it, though.
An account for testing would still be appreciated.


Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 5. Jul 2011, 06:44

Quellcore,

thank you for taking interest in this case. It's a bit disheartening, that STARTTLS is not supported, and given that the latest release of Spami happened more than year and half ago, I understand there is quite slim chance of this being implemented.

Unfortunately, I can't provide you with a test account as it's a workplace mail server I'm trying to deal with. I can try to replicate the setup on my home machine, but it will take some time and will be quite inconvenient for you, because I can't guaranty that my home machine is always online. In addition, it does not have static IP.

As to some other points you have touched:

- RE: server.log - I'm well aware of this one, in the test scenario that I'm describing the communication does not get as far as server. The client refuses to connect as Spami does not list STLS capability to it, so it never gets to the server and hence to server.log
- RE: screenshot - yes something like this would have been nice, but we don't have it, do we?
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34

Re: STARTTLS support over non SSL connection

Beitragvon Quellcore » 10. Jul 2011, 16:35

Hello zespri!
zespri hat geschrieben:...given that the latest release of Spami happened more than year and half ago, I understand there is quite slim chance of this being implemented.

Right now 0.9.9.58 Beta (Non-Public) compiled on February 6th, 2011 is being tested, so there is some progress being made.
Of course it would be nice to see a faster development, but as i mentioned before, the author Michel is extremely busy right now, so we have to have patience.
zespri hat geschrieben:Unfortunately, I can't provide you with a test account as it's a workplace mail server I'm trying to deal with. I can try to replicate the setup on my home machine, but it will take some time and will be quite inconvenient for you, because I can't guaranty that my home machine is always online. In addition, it does not have static IP.

No porblem, very understandable, don't bother trying to replicate it on your own machine, this will very likely be too much work.
I tried to simulate the same setup in my viretual machine with a mailserver called "Hamster Classic", but i had trouble getting the SSL settings to work. It does offer STARTTLS, though.
zespri hat geschrieben:- RE: screenshot - yes something like this would have been nice, but we don't have it, do we?

This would be what you need!
You should NOT set STARTTLS in your mailclient. Even if Spami would support StartTLS for the connection to the actual server, enabling this in the mailclient would NOT trigger StartTLS for the connection between Spami and the server but only request TSL between your mailclient and Spami.

btw:
All the mailservers that i have come across (not that many btw ;-) ) support StartTLS as an option beside the regular SSL/TLS connection on Port 995/993.
You should definately try a regular secure SSL/TSL connection on the usual ports 995/993 if you have not tried it yet.

Regards,
Quellcore
CPU:Intel Core i7-2700K Processor (@ 45*100 = 4500 MHz)
Board:ASRock P67 Extreme4 Gen3
Ram: 16GB G.SKILL Ripjaws X Series (4 x 4GB) DDR3 2133 (Timings 10-10-10-28 2T @ 1866 MHz)
SSD: Samsung 128GB 2.5-inch SSD 830 Series (Desktop)
HDD-1: WD Caviar® SE16 640 GB, SATA2, 16 MB Cache, 7200 RPM
HDD-2: SAMSUNG EcoGreen F4 ST2000DL004 2TB 32MB Cache
Graphic: ATI Radeon HD 5850 ASUS EAH5850/G/2DIS/1GD5

Win 7 Ultimate 64-Bit / ESET NOD32 Antivirus 8.0 / Firefox 34 / Thunderbird 31
Spamihilator 1.6.0
Benutzeravatar
Quellcore
Assistent
Assistent
 
Beta-Tester
 
Beiträge: 1706
Registriert: 8. Mai 2004, 13:03
Wohnort: Long Island / USA

Re: STARTTLS support over non SSL connection

Beitragvon zespri » 11. Jul 2011, 09:49

Quellcore hat geschrieben:Hello zespri!
Right now 0.9.9.58 Beta (Non-Public) compiled on February 6th, 2011 is being tested, so there is some progress being made.

This gives some hope.
Quellcore hat geschrieben:but i had trouble getting the SSL settings to work.

Yep, this could be tricky. In my setup the real certs are used, not self-signed ones, and I guess they are a bit more straight-forward to setup.

Quellcore hat geschrieben:You should NOT set STARTTLS in your mailclient. Even if Spami would support StartTLS for the connection to the actual server, enabling this in the mailclient would NOT trigger StartTLS for the connection between Spami and the server but only request TSL between your mailclient and Spami.


This is most expected, since it's seems more logical to maintain just one secure connection (between Spami and the mail server), rather then two (plus between Spami and mail client). There is no obvious gain from a secure session between Spami and mail client, as most of the time it's local anyway. There is also no point to "tunnel" the whole thing via secure connection from mail client to Spami to mail server, because this way the raw (deciphered) data would not be available mid-stream, where Spami sits. So what you are saying makes most sense.

Quellcore hat geschrieben:You should definately try a regular secure SSL/TSL connection on the usual ports 995/993 if you have not tried it yet.


Unfortunately the server is not configured to listen on these ports - they are trying to "reduce attack surface" what ever this means. It can be configured this way but it is not.

Once again, thank you for your time and input to my problem.
Ok, let me try out my German-fu: Vielen Dank für Ihre Mühe.
zespri
Power-User
Power-User
 
Beiträge: 8
Registriert: 1. Jul 2011, 06:34


Zurück zu English Forum

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast

cron

 industrious-southeast