Mailing List Archive

Hello Yugendra,

this is not possible at all due to the way SSL works. The mail server
does not have any idea of what domain the user has entered into his mail
client and therefore is not able to choose an appropriate certificate.

The best choice would be to create a single certificate with so called
"subject alternative names". This should be accepted by the majority of
mail clients out there.

The other option would require to set up one qmail-pop3s process per
domain, which will include the burden to have an individual ip address
for each domain.

best regards

Oliver

Am 01.08.2014 um 08:33 schrieb Yugendra Khonde:
> Hello Team,
>
> *My query is:*
> Does qmail-pop3s supports multiple SSL certificates?
>
> *Details:*
> *Current setup:*
> 1. We have multiple mail servers on which we use qmail for mail delivery.
> 2. Each server is hosting multiple different domains for multiple clients.
> 3. Each server works individually.
> 4. End users are using qmail-pop service to fetch mails from server and
> qmail-smtp service to send mails.
> 5. Each client use there own URL to connect to the server.
> For example Mithi Software will use mailxf.mithi.com which is pointing
> to on of our mail server.
>
> *Requirement:*
> I want to enable qmail-pop3s service for end user so that they can
> connect to server over secure channel.
>
> *Challenge:*
> As per my knowledge qmail-pop3s service accepts only single SSL
> certificate. As we have multiple clients hosted on single server and
> each client provides there own certificate. I want to use all
> these different SSL certificates so that all client can access POPS service.
>
> *Expected Result:*
> Our all clients should be able to access qmail-pop3s service over secure
> channel with there separate URLs(CN in SSL certificates).
>
> best regards
> *Yugendra Khonde
> System Support Engineer
> Mithi SkyConnect Kaizen team*
> Mithi Software Technologies
> This email has been sent via the Mithi SkyConnect cloud service
> <http://www.mithi.com/solutions-cloudemail-mithiskyconnect.html> based
> on Mithi's Connect Xf platform
> <http://www.mithi.com/product-overview.html> and has been scrubbed for
> your protection by SecureMX <http://securemx.in/>.
> Disclaimer : This mail is meant only for intended recipients. Please
> discard the mail if you are not an intended recipient.


--
Protect your environment - close windows and adopt a penguin!

Hi Yugendra,

--On 1. August 2014 12:03:38 +0530 Yugendra Khonde <yugendra@mithi.com>
wrote:

> Hello Team,
>
> My query is:
> Does qmail-pop3s supports multiple SSL certificates?

Stock qmail (and in particular qmail-pop3s) is not SSL-aware, thus you have
to use a patch.

Two SSL patches exist for qmail:

- Eric Vermeulen's patch.
- Scott Giffords's and my approach as part of the spamcontrol patch +
UCSPI-SSL.

I only can speak about Scott's and my enhancements.


> Details:
> Current setup:
> 1. We have multiple mail servers on which we use qmail for mail delivery.
> 2. Each server is hosting multiple different domains for multiple clients.
> 3. Each server works individually.
> 4. End users are using qmail-pop service to fetch mails from server and
> qmail-smtp service to send mails.
> 5. Each client use there own URL to connect to the server.
> For example Mithi Software will use mailxf.mithi.com which is pointing to
> on of our mail server.
>
> Requirement:
> I want to enable qmail-pop3s service for end user so that they can
> connect to server over secure channel.


This sounds reasonable.

> Challenge:
> As per my knowledge qmail-pop3s service accepts only single SSL
> certificate.

I don't know what you mean by 'qmail-pop3s'. You have typically qmail-popup
and qmail-pop3d which need to be SSL-enabled.
Each instance (identified by IP and port) may provide their own X.509 cert
+ keyfile.

> As we have multiple clients hosted on single server and each
> client provides there own certificate.

Hm. What do you mean by that? What is a client in that respect ?

> I want to use all these different
> SSL certificates so that all client can access POPS service.

As I said, a X.509 cert is bound to a service, identified by IP and port.
(POP3) Clients typically don't have certs.

In my solution for qmail-pop3d you can do the following:

a) setup qmail-pop3d to support STLS either optional or mandatory.
b) setup qmail-pop3d on POP3S port requiring SSL encryption directly.
c) setup qmail-pop3d to provide different certs triggered per connection
(from sslserver's cdb).

Please have a look at:

<http://www.fehcom.de/qmail/spamcontrol/README_spamcontrol.html#Qmail-pop3d>

and

<http://www.fehcom.de/qmail/smtptls.html>


> Expected Result:
> Our all clients should be able to access qmail-pop3s service over secure
> channel with there separate URLs(CN in SSL certificates).

It seems, you like to deploy X.509 client certs.
This is very untypical for POP3, but frequently used for SMTP.
I'm not aware of POP3 clients supporting this.
Another open question is, how authentication is done in this case.

In short: My UCSPI-SSL solution + Spamcontrol supports X.509 client certs
even for POP3 services, however will require a standard POP3 authentication
anyway.

Best regards.
--eh.


--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

>
> As we have multiple clients hosted on single server and each
>> client provides there own certificate.
>>
>
> Hm. What do you mean by that? What is a client in that respect ?
>
>
> I want to use all these different
>> SSL certificates so that all client can access POPS service.
>>
>
> If i understood correctly, he would like to use something like apache SNI
( http://en.wikipedia.org/wiki/Server_Name_Indication ) but for POP/IMAP
clients.

Regards

Hi,

--On 1. August 2014 10:19:42 +0200 Ivan Lotina <lotke@lotke.com> wrote:


> If i understood correctly, he would like to use something like apache SNI
> ( http://en.wikipedia.org/wiki/Server_Name_Indication ) but for POP/IMAP
> clients.

Yeah. Sounds like this.

But this leaves the question open, what is the potential POP3s client.


I should consider implementing SNI as part of UCSPI-SSL (on the server
side).

regards.
--eh

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

Hi Oliver,


--On 1. August 2014 11:25:28 +0200 Oliver Welter <mail@oliwel.de> wrote:

> Am 01.08.2014 um 10:40 schrieb Erwin Hoffmann:
>>
>> But this leaves the question open, what is the potential POP3s client.
>>
>>
>> I should consider implementing SNI as part of UCSPI-SSL (on the server
>> side).
>
> Is there any client oustide supporting this ? SNI for HTTPS is available
> at large but I never heard of any other application world having support
> for it.

There are in fact a few open Qs:

a) POP3 clients: Capable to use client certificates.
b) POP3 clients: Using SNI (as required) and how.
c) POP3 server: Supporting SNI.
d) POP3 server: Support client cert based Authentication instead of
User/APOP ...

Further:

e) Regarding (d) and SMTP, the email-address to authenticate is part of the
SAN (Subject Alternative Name).

The X.509 client certs binds the username/email to the POP3 account. Thus,
from the X.509 client cert, and in particular the domain information in the
SAN, the POP3 client has to construct the SNI (hostname) prior of the TLS
handshake.

This is certainly feasable but is not current technique.

regards.
--eh.

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

Am 01.08.2014 um 11:54 schrieb Erwin Hoffmann:
> d) POP3 server: Support client cert based Authentication instead of
> User/APOP ...
>
> Further:
>
> e) Regarding (d) and SMTP, the email-address to authenticate is part of
> the SAN (Subject Alternative Name).
>
> The X.509 client certs binds the username/email to the POP3 account.
> Thus, from the X.509 client cert, and in particular the domain
> information in the SAN, the POP3 client has to construct the SNI
> (hostname) prior of the TLS handshake.

That is an interessting idea in combination with S/MIME - the user
already needs to have the SMIME signing certificate in the mail client,
so it can be used without any additonal "user efforts" to authenticate
against the mail server. No more hacked accounts sending spam....

regards

Oliver

--
Protect your environment - close windows and adopt a penguin!

Hi Oliver,


--On 1. August 2014 12:12:55 +0200 Oliver Welter <mail@oliwel.de> wrote:

> Am 01.08.2014 um 11:54 schrieb Erwin Hoffmann:
>> d) POP3 server: Support client cert based Authentication instead of
>> User/APOP ...
>>
>> Further:
>>
>> e) Regarding (d) and SMTP, the email-address to authenticate is part of
>> the SAN (Subject Alternative Name).
>>
>> The X.509 client certs binds the username/email to the POP3 account.
>> Thus, from the X.509 client cert, and in particular the domain
>> information in the SAN, the POP3 client has to construct the SNI
>> (hostname) prior of the TLS handshake.
>
> That is an interessting idea in combination with S/MIME - the user
> already needs to have the SMIME signing certificate in the mail client,
> so it can be used without any additonal "user efforts" to authenticate
> against the mail server. No more hacked accounts sending spam....

This idea is not new. It is however the current scheme for X.509 client
cert based authentication.


This is support by my current UCPSI-SSL + Spamcontrol.

regards.
--eh.

--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

Hello Oliver,
I really appreciate your time and efforts you put in for answering my queries.
As per your reply we have 2 approaches:
1. Generate SSL certificate with "subject alternative names".
It is not possible because we have multiple client hosted on single server and each client provides its own certificate which is valid for its own domain only.
2. One qmail-pop3s process per domain.
I do not have any idea how to configure it. If you share some document it would be very helpful for me.
best regards
Yugendra Khonde
System Support Engineer
Mithi SkyConnect Kaizen team
Mithi Software Technologies





-- Original Message --
From: Oliver Welter <mail@oliwel.de>
To: Yugendra Khonde <yugendra@mithi.com>, qmail@list.cr.yp.to
Date: Fri, 01 Aug 2014 09:41:28 +0200
Subject: Re: Does qmail-pop3s supports multiple SSL certificates?
Hello Yugendra,
this is not possible at all due to the way SSL works. The mail server
does not have any idea of what domain the user has entered into his mail
client and therefore is not able to choose an appropriate certificate.
The best choice would be to create a single certificate with so called
"subject alternative names". This should be accepted by the majority of
mail clients out there.
The other option would require to set up one qmail-pop3s process per
domain, which will include the burden to have an individual ip address
for each domain.
best regards
Oliver
Am 01.08.2014 um 08:33 schrieb Yugendra Khonde:
> Hello Team,
>
> *My query is:*
> Does qmail-pop3s supports multiple SSL certificates?
>
> *Details:*
> *Current setup:*
> 1. We have multiple mail servers on which we use qmail for mail delivery.
> 2. Each server is hosting multiple different domains for multiple clients.
> 3. Each server works individually.
> 4. End users are using qmail-pop service to fetch mails from server and
> qmail-smtp service to send mails.
> 5. Each client use there own URL to connect to the server.
> For example Mithi Software will use mailxf.mithi.com which is pointing
> to on of our mail server.
>
> *Requirement:*
> I want to enable qmail-pop3s service for end user so that they can
> connect to server over secure channel.
>
> *Challenge:*
> As per my knowledge qmail-pop3s service accepts only single SSL
> certificate. As we have multiple clients hosted on single server and
> each client provides there own certificate. I want to use all
> these different SSL certificates so that all client can access POPS service.
>
> *Expected Result:*
> Our all clients should be able to access qmail-pop3s service over secure
> channel with there separate URLs(CN in SSL certificates).
>
> best regards
> *Yugendra Khonde
> System Support Engineer
> Mithi SkyConnect Kaizen team*
> Mithi Software Technologies
> This email has been sent via the Mithi SkyConnect cloud service
> <http://www.mithi.com/solutions-cloudemail-mithiskyconnect.html> based
> on Mithi's Connect Xf platform
> <http://www.mithi.com/product-overview.html> and has been scrubbed for
.
> Disclaimer : This mail is meant only for intended recipients. Please
> discard the mail if you are not an intended recipient.
--
Protect your environment - close windows and adopt a penguin!




Disclaimer : This mail is meant only for intended recipients. Please discard the mail if you are not an intended recipient.


______________________________________________________________________________

This email is sent via the Mithi SkyConnect cloud service
and has been scrubbed for your protection by SecureMX.
For more information visit http://securemx.in and http:mithi.com
______________________________________________________________________________

Hello Yugendra,


Am 01.08.2014 um 14:33 schrieb Yugendra Khonde:
> Hello Oliver,
>
> 2. One qmail-pop3s process per domain.
> * I do not have any idea how to configure it. If you share
> some document it would be very helpful for me.*
>

I dont have a document at hand, basically you need to do two things:
1) Assign an individual IP address to each domain you want to cover, eg.

mail.customer1.com -> 1.2.3.4
mail.customer2.com -> 1.2.3.5
mail.customer3.com -> 1.2.3.6
tbc.

2) Assign all of those ips to your mailserver, setup one instance of
tcpserver / qmail-pop3s for each ip address. This is as easy as making
copies of your present configuration inside the supervise directory
(usually /service or /svscan). Change the run script to bind to only one
ip address and configure it to use the matching certificate.

This will obviously only work out for a small number of clients.

Oliver

--
Protect your environment - close windows and adopt a penguin!

Thus said Erwin Hoffmann on Fri, 01 Aug 2014 09:54:30 +0200:

> Stock qmail (and in particular qmail-pop3s) is not SSL-aware, thus you
> have to use a patch.

I've never had to patch qmail for SSL support. I use stunnel to wrap
qmail. This obviously does not support STARTTLS, but if it's just SSL
that is required, there is no patch required.

Andy
--
TAI64 timestamp: 4000000053dc6e37

Hi Andy,

--On 1. August 2014 22:50:28 -0600 Andy Bradford
<amb-sendok-1409547028.lckjkdmdokpilhejkkeb@bradfords.org> wrote:

> Thus said Erwin Hoffmann on Fri, 01 Aug 2014 09:54:30 +0200:
>
>> Stock qmail (and in particular qmail-pop3s) is not SSL-aware, thus you
>> have to use a patch.
>
> I've never had to patch qmail for SSL support. I use stunnel to wrap
> qmail. This obviously does not support STARTTLS, but if it's just SSL
> that is required, there is no patch required.

Correct. Instead of using stunnel, UCSPI-SSL does the same job -- on the
server side.

However, encryption SMTP transactions with SSL/TLS is only one part of the
story. Controlling requires some application level integration.
And this can not be done without patching qmail.

Thus, your glass is half-full. It may taste great, but is not enough for my
thirst.

regards.
--eh.


--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

Thus said Erwin Hoffmann on Sat, 02 Aug 2014 18:32:55 +0200:

> However, encryption SMTP transactions with SSL/TLS is only one part of
> the story. Controlling requires some application level integration.
> And this can not be done without patching qmail.

I'm not sure what is meant by control. I can control relaying this way
by setting RELAYCLIENT in the environment for all clients who have a
valid peer certificate. Those who do not have a valid peer certificate
can only talk SMTP without relaying. Is this what is meant by control?

Thanks,

Andy
--
TAI64 timestamp: 4000000053dd165d

Hi,


--On 2. August 2014 10:47:54 -0600 Andy Bradford
<amb-sendok-1409590074.gihlaknadcdofghibldf@bradfords.org> wrote:

> Thus said Erwin Hoffmann on Sat, 02 Aug 2014 18:32:55 +0200:
>
>> However, encryption SMTP transactions with SSL/TLS is only one part of
>> the story. Controlling requires some application level integration.
>> And this can not be done without patching qmail.
>
> I'm not sure what is meant by control.

Controlling means

a) to allow customization of the (few) TLS tweaking knobs like ciphers and
certs,
b) to provide the user a clear indication if and how his/her mail was
transferred by SMTP/TLS.

> I can control relaying this way
> by setting RELAYCLIENT in the environment for all clients who have a
> valid peer certificate. Those who do not have a valid peer certificate
> can only talk SMTP without relaying. Is this what is meant by control?

In your last case this means, unencrypted SMTP transmission?

Clients usually don't have "valid" certificates -- you need to deploy (and
enforce presenting) those.
Just 'relaying' for valid certs is not enough. A client certs binds to the
user; thus typically you provide authentication in this case. In qmail
terms this is equivalent to relaying.

By the way: How do you handle qmail-remote and TLS ?


regards.
--eh.


>
> Thanks,
>
> Andy
> --
> TAI64 timestamp: 4000000053dd165d
>
>
>



--
Dr. Erwin Hoffmann | FEHCom | http://www.fehcom.de/ | PGP-Key-Id: 7E4034BE

Thus said Erwin Hoffmann on Sat, 02 Aug 2014 19:12:35 +0200:

> a) to allow customization of the (few) TLS tweaking knobs like ciphers
> and certs,

I suppose this isn't possible with SSL wrapped SMTP?

> b) to provide the user a clear indication if and how his/her mail was
> transferred by SMTP/TLS.

How is this indication offered to a user? Is it subject to forgery? What
indication does a user have after the message has been submitted, that
all nodes in the forward path provided the same level of encryption? Not
even SSL wrapped SMTP solves this problem.

> > Those who do not have a valid peer certificate can only talk SMTP
> > without relaying.
>
> In your last case this means, unencrypted SMTP transmission?

Not specifically, no. If they connect to the SSL port, then clearly it
will be encrypted.

I see what you're getting at though. Because SMTP on port 25 must be
plain, there is no way to support opportunistic encryption via STARTTLS.
Does anyone verify certificate chains when using STARTTLS?

> Clients usually don't have "valid" certificates -- you need to deploy
> (and enforce presenting) those.

Yes, of course. Just like clients don't usually have valid usernames and
passwords.

> By the way: How do you handle qmail-remote and TLS ?

The only truly end-to-end security provided by PGP. :-)

Andy
--
TAI64 timestamp: 4000000053dd273c