| Greg's Setting up qpopper on FreeBSD |
| Greg's diary |
| Greg's home page |
| HOWTO index |
|
|
|
|
Work in progress This page is a preliminary draft. It's only here because I may never complete it.
In July 2008 Chris Yeardley and I set up an external web and mail server. Chris uses Microsoft, so she needs to pull her mail down with POP. Since this goes out on the Internet, it's clear that my previous toy solutions for the local network, using popper would be inadequate, so I installed qpopper instead. It was complicated enough for me to write down the details.
qpopper comes with PDF documentation that the FreeBSD port—typically—disabled by default. Enabling it was about the only change I made to the configuration before installing it. The port also doesn't add the necessary configuration line to /etc/inetd.conf, but at least it says so at the end of the installation:
****************************************************************************
To enable the qpopper-daemon, add the following line to your /etc/inetd.conf:
pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -s
****************************************************************************
That's only part of the story, of course. What about secure connections? Elsewhere I saw an alternative which set up two different configurations, one for clear text and one for secure connections. I only wanted the secure connection, so that's what I describe here.
pop3 stream tcp nowait root /usr/local/libexec/qpopper qpopper -f /usr/local/etc/qpopper/STLS-110.conf
pop3s stream tcp nowait root /usr/local/libexec/qpopper qpopper -f /usr/local/etc/qpopper/TLS-995.conf
The names at the end of the line are the configuration file which those instructions create, not the sort of name I'd use. I don't want standard unencrypted POP-3 connections, so I presumably can put everything in the default configuration file. But where is the default file? The port doesn't tell you, the man page doesn't tell you (it does mention a number of other files), and the PDF documentation (installed at /usr/local/share/doc/qpopper/GUIDE.pdf) takes a while to make it clear that by default there is no configuration file. The port, not to be outdone, puts a default configuration file at /usr/local/etc/qpopper.config.sample and keeps very quiet about the fact, implying (but not saying) that the correct name for the configuration file should be /usr/local/etc/qpopper.config. Does the version of qpopper built from the port know this?
The HOWTO I mentioned above is several years old and refers to FreeBSD 4.9. I'm using FreeBSD 7.0, so I ignored the build instructions; today the ports collection have one of those horrible interactive configuration windows. Hopefully that's enough.
These same instructions set up not two (as it seemed) but three configuration files: a main file which is included by the other two, one configuration file for TLS, and one without. I made the equivalent of one file for TLS only.
=== root@dereel (/dev/ttypp) /etc/mail/certs 59 -> openssl genrsa -des3 -out lemis-ca.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................................................................................................................................+++
........+++
e is 65537 (0x10001)
Enter pass phrase for lemis-ca.key:
Verifying - Enter pass phrase for lemis-ca.key:
=== root@dereel (/dev/ttypp) /etc/mail/certs 60 -> openssl req -new -x509 -days 3650 -key lemis-ca.key -out lemis-ca.crtEnter pass phrase for lemis-ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:Dereel
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LEMIS (SA) Pty Ltd
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:www.lemis.com
Email Address []:grog@lemis.com
=== root@dereel (/dev/ttypp) /etc/mail/certs 61 -> openssl genrsa -out pop3key.pem 1024
Generating RSA private key, 1024 bit long modulus
..........................................++++++
......................++++++
e is 65537 (0x10001)
=== root@dereel (/dev/ttypp) /etc/mail/certs 62 -> l
total 1
-rw-r--r-- 1 root wheel 1728 Jul 12 15:05 lemis-ca.crt
-rw-r--r-- 1 root wheel 1751 Jul 12 15:01 lemis-ca.key
drwxr-xr-x 2 root wheel 512 Jul 12 15:01 old
-rw-r--r-- 1 root wheel 887 Jul 12 15:05 pop3key.pem
=== root@dereel (/dev/ttypp) /etc/mail/certs 66 -> chmod 400 pop3key.pem
According to the HOWTO I copied, the “Common Name” must match the server name. No explanation why beyond “you will have many problems!”.
=== root@dereel (/dev/ttypp) /etc/mail/certs 63 -> openssl req -new -key pop3key.pem -out pop3cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:Dereel
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LEMIS (SA) Pty Ltd
Organizational Unit Name (eg, section) []:Messaging
Common Name (eg, YOUR name) []:www.lemis.com
Email Address []:grog@lemis.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
=== root@dereel (/dev/ttypp) /etc/mail/certs 64 -> openssl x509 -req -in pop3cert.csr -out pop3cert.pem -sha1 -CA lemis-ca.crt -CAkey lemis-ca.key -CAcreateserial -days 3650
Signature ok
subject=/C=AU/ST=VIC/L=Dereel/O=LEMIS (SA) Pty Ltd/OU=Messaging/CN=www.lemis.com/emailAddress=grog@lemis.com
Getting CA Private Key
Enter pass phrase for lemis-ca.key:
=== root@dereel (/dev/ttypp) /etc/mail/certs 67 -> chmod 400 *
Nowhere did it tell me for sure whether qpopper uses a configuration file by default. With a bit of wireshark and ktrace I was able to establish that it almost certainly doesn't; certainly it doesn't look at /usr/local/etc/qpopper.config. Modified my inetd.conf entry:
pop3s stream tcp nowait root /usr/local/libexec/qpopper qpopper -s -f /usr/local/etc/qpopper/qpopper.config
And yes, that's not the same file name. I originally took the hint and used the name that was suggested. But it's better in the qpopper directory.
=== root@dereel (/dev/ttypp) /usr/local/etc 29 -> cd /etc/mail/
=== root@dereel (/dev/ttypp) /etc/mail 31 -> mkdir certs
=== root@dereel (/dev/ttypp) /etc/mail 32 -> cd certs/
=== root@dereel (/dev/ttypp) /etc/mail/certs 33 -> openssl genrsa -des3 -out lemis-ca.key 2048
Generating RSA private key, 2048 bit long modulus
.+++
..................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for my-ca.key:
Verifying - Enter pass phrase for my-ca.key:
=== root@dereel (/dev/ttypp) /etc/mail/certs 41 -> openssl req -new -x509 -days 3650 -key lemis-ca.key -out lemis-ca.cert
Enter pass phrase for lemis.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:Dereel
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LEMIS (SA) Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Greg Lehey
Email Address []:grog@lemis.com
=== root@dereel (/dev/ttypp) /etc/mail/certs 42 -> l
total 1
-rw-r--r-- 1 root wheel 1578 Jul 11 14:36 lemis.cert
-rw-r--r-- 1 root wheel 1751 Jul 11 14:32 lemis.key
=== root@dereel (/dev/ttypp) /etc/mail/certs 43 -> openssl x509 -in lemis.cert -text -noout
(certificate info omitted)
=== root@dereel (/dev/ttypp) /etc/mail/certs 47 -> openssl genrsa -out pop3key.pem 1024
Generating RSA private key, 1024 bit long modulus
.....................................................................................++++++
.......++++++
e is 65537 (0x10001)
=== root@dereel (/dev/ttypp) /etc/mail/certs 48 -> openssl req -new -key pop3key.pem -out pop3cert.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:VIC
Locality Name (eg, city) []:Dereel
Organization Name (eg, company) [Internet Widgits Pty Ltd]:LEMIS (SA) Pty Ltd
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Greg Lehey
Email Address []:grog@lemis.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
=== root@dereel (/dev/ttypp) /etc/mail/certs 52 -> openssl x509 -req -in pop3cert.csr -out pop3cert.pem -sha1 -CA lemis-ca.cert -CAkey lemis-ca.key -CAcreateserial -days 3650
Signature ok
subject=/C=AU/ST=VIC/L=Dereel/O=LEMIS (SA) Pty Ltd/CN=Greg Lehey/emailAddress=grog@lemis.com
Getting CA Private Key
Enter pass phrase for lemis-ca.key:
| Greg's home page | Greg's diary | Greg's photos | Greg's links | Copyright information |
| $Id: qpopper-history.php,v 1.1 2008/07/19 01:59:39 grog Exp $ |