Spamihilator

[zespri]

Hello,

does Spamihilator support TLS connections over non-SSL 143/110 port by using STARTTLS/STLS commands?

I was not able to find this option am I missing something?

In Thunderbird, if I specify STARTTLS I'm getting "Unable to establish TLS connection to POP3 server." The connection coming thought all right if not using Spamihilator. Port is standard (110).

Danke,
Andrew

[Quellcore]

Hello zespri!

When it comes to SSL/TLS setting up Spami is a liitle bit tricky.

In a nutshell:
Once Spami sits in the communication chain the SSL/TLS settings in your mailclient only apply for the local connection to Spami and NOT for the connection between Spami and the actual Mailserver.

It's usually perfectly safe to disable SSL/TLS for the connection with Spami since it's only local.
The SSL/TLS settings for the connection between Spami and the actual mailserver can be changed/viewed within Spami:
http://wiki.spamihilator.com/doku.php?i ... figconnssl
Usually you don't have to mess with them, during the first connection with the mailserver Spami automatically tries to establish SSL/TLS if available.

Regards,
Quellcore

[zespri]

Hello Quellcore,

I had studied the wiki page you linked thoroughly before posting my question, unfortunately it did not help me.

>>Once Spami sits in the communication chain the SSL/TLS settings in your mailclient only apply for the local connection to Spami and NOT for the connection between Spami and the actual Mailserver

This is understandable, however there surely should be away to control TLS between Spami and the actual Mailserver

>>It's usually perfectly safe to disable SSL/TLS for the connection with Spami since it's only local.
I have no problem with that as long as it works. You see, if I disable TSL in the mailclient, Spami does not know to send STLS command to the server to start the TSL session, and this is my problem.

>>The SSL/TLS settings for the connection between Spami and the actual mailserver can be changed/viewed within Spami. Usually you don't have to mess with them, during the first connection with the mailserver Spami automatically tries to establish SSL/TLS if available.

Quellcore, as you might know there are two distinct ways a connection can occur between a mailclient and a server via SSL/TLS:
1) You connect to a SSL port (995) with a secure TLS session from the get-go
2) You connect to a non-ssl port (110) with unsecured connection first, and then you convert your connection to secure TSL connection by issuing STLS command to the POP3 server. This still happens via original port (110).

My problem here is that the server I'm connecting to does NOT support the ssl-port, but does REQUIRE a TSL session via non ssl-port. When sent CAPA it returns STLS capability among all and does not accept credentials unless STLS started.

I can't find an option, among those, that you point out, that allow my mail client to connect via Spami, to satisfy the requirement outlined above.

Spami supports TSL connections from the get-go, via an ssl port, but as far as I can tell it does not support the STSL command on a normal (non-ssl) session to start a TSL session on non-ssl port.

[Quellcore]

[zespri]

Hello Quellcore,

>>You can change SSL/TLS behaviour for each "known host" within Spami. Just enable "Automatically enable SSL/TLS if available" and check or change the entry in the "Known hosts" list.

yes, I did also play with this settings and it seems, that if you do check "Secure connection over TSL/SSL" button for a particular host it tries to establish the TSL session with it over specified port (POP3S, not POP3)form the start, and fails because the server listent on POP3, not POP3S. If you don't check the check box, it does connect on POP3, but the server reject authentication, since it's sent before switching to STLS.

I could find no way to make spami to connect with POP3 (not POP3S) first, and then use STLS to establish TLS session.

>>Spami supports SSL/TLS on any port.
Well, I understand that, in the respect that any port number can be used. This is true. What I can't seem get to work is to establish secure connection over non-secure POP3 (not POP3S) port.

>>I'm not familiar with the different SSL/TLS implementations
Do you know if anyone can help me here, as my question seems to be down to how this is implemented in Spami specifically? I'd like to talk to someone who understand the difference in establishing secure session via POP3S from the start, and establishing non secure session via POP3 and the switching to secure mode with STLS command.

Quellcore, if you could get the right person to have a look at my problem, I'd be forever grateful, and I do appreciate the time you spent on answering me.

[Quellcore]

Hello zespri!

The only person who can explain Spami's implementation of the SSL/TLS feature is the one and only author of Spami,
He is very busy right now and is not visiting the forum on a daily basis these days, something called like "real life" is preventing him from being around more often these days.
You can try to send him a PN, but please do not get offended if you would not get an answer right away.

I do believe that you might have found a bug or at least a missing feature .

Just to get this straight:
Does STARTTLS equal STLS

Regards,
Quellcore

[zespri]

[zespri]

I just wrote the following PM to Michel. I'm posting the text here for reference if someone has the same problem:

Hello Michel,

I was recommended to write to you in this thread:

viewtopic.php?f=22&t=8542

My problem is as follow. The mail server I want to connect to does not support SSL/TLS port, but does require TLS connection, for authentication. Normally it's accomplished buy STARTTLS/STLS command from the client to server, after connecting on non-SSL port.

I can't get Spamihilator to work under this conditions. It works perfectly over SSL port, when connection started with TSL from the beginning, but it does not seem to be able to relay STARTTLS/STLS command from the client or issue this command itself to convert non secure session to secure.

When connecting to my mail POP3 server and issuing CAPA command, I see that STLS capability is returned. However in the SERVER.LOG it does not seem that Spamihilator issues the CAPA command at all. CLIENT.LOG shows that the mail client does issue CAPA, and spamihilator replies to it without listing STSL capability. As the result the client refuses to connect, as I specify STARTTSL in the mail client options.

This is the client log:
Client Log started at: 2/07/2011 - 17:05:49
17:05:49 S: +OK Spamihilator 0.9.9.53 ready
17:05:49 C: CAPA
17:05:49 S: +OK These are my capabilities
17:05:49 S: TOP
17:05:49 S: USER
17:05:49 S: SASL PLAIN
17:05:49 S: UIDL
17:05:49 S: IMPLEMENTATION Spamihilator0.9.9.53
17:05:49 S: .

In the server log there is nothing for this time interval, so I'm assuming that the client does not receive STSL CAPA and refuses to continue, as I specified STARTTSL option.

Could you please advise if there is a way to make Spamihilator work under the described scenario.

[Quellcore]

Hello zespri!

Again,
Thunderbird's settings regarding a secure connection only apply to the local connection between Thunderbird and Spami, so changing this to StartTLS won't help you.
What you need/want is a setting within Spami to enable StartTLS for a specific Server.

Something like this: (I put this together out of Screenshots from Spami and Thunderbird)

SSL-TLS.png (50.24 KiB) 9566-mal betrachtet

Regards,
Quellcore

[Quellcore]

Hello zespri!

The important log is the server.log which is logging the communication between Spami and the Mailserver. While Spami is running the logs are being written to temp files in the same folders. When you end Spami the content of the temp logs will be added to the server.log and client.log.

Also, if you have an Admin-Account for this Server, would you be able to provide a test account for me? I would like to play with it if possible.


Regards,
Quellcore

[Quellcore]

[zespri]

Quellcore,

thank you for taking interest in this case. It's a bit disheartening, that STARTTLS is not supported, and given that the latest release of Spami happened more than year and half ago, I understand there is quite slim chance of this being implemented.

Unfortunately, I can't provide you with a test account as it's a workplace mail server I'm trying to deal with. I can try to replicate the setup on my home machine, but it will take some time and will be quite inconvenient for you, because I can't guaranty that my home machine is always online. In addition, it does not have static IP.

As to some other points you have touched:

- RE: server.log - I'm well aware of this one, in the test scenario that I'm describing the communication does not get as far as server. The client refuses to connect as Spami does not list STLS capability to it, so it never gets to the server and hence to server.log
- RE: screenshot - yes something like this would have been nice, but we don't have it, do we?

[Quellcore]

[zespri]