************************************************************************** ************************************************************************** ** NOTE: The whole point of the secure services initiative is to stop ** ** people from transmitting their passwords across the network in the ** ** clear. If you telnet into a machine and then use this information ** ** to connect "securely" to a mail server, you are missing the point. ** ** ** ** The only time you ever want to use this information is when your ** ** connection to the machine you read your mail form is secure at all ** ** stages. If you dial in to your ISP, telnet to one of their machines, ** ** then ssh to your unix workstation at work, your connection to the ** ** unix workstation is NOT secure, despite the ssh step. Do not use ** ** the information in this document if any portion of your connection ** ** is inseucre. THIS IS IMPORTANT. ** ************************************************************************** ************************************************************************** This document assumes that you have some familiarity with compiling and installing software in a unix environment. This includes any flavor of unix, such as Solaris, Linux, BSD, Ultrix, Irix, or whatever. *** SPECIAL NOTE FOR MACOS X USERS*** The only part of this document you need to read is steps 5 and 6. For instructions which will work on OS X (steps 1 through 4 won't), check http://staff.washington.edu/jdlarios/imapssl-macosx.txt *** EVERYONE ELSE, KEEP READING *** Depending on your configuration, you may need to perform some steps as the "root" user. If you don't know what this means, this document is probably not for you (not because you're stupid, which you're probably not, but because you just won't be able to use the software). These instructions are best used on a unix workstation which is used by a small number of people. While it's possible to set something like this up in a multiuser environment, it can get confusing (and wasteful if there are multiple people who have installed their own local copies). In the instructions below, lines which begin with a "#" symbol should be run as the root user. You can also do this as a regular user, as long as you change all the paths to non-system directories, such as your home directory. If you've already got OpenSSL installed, you can skip step 1. Make sure that you've got certificate files in your certs directory, though. If you don't, imapssl-proxy will complain about not trusting the remote certificate. 1. Get and install OpenSSL from http://www.openssl.org/ ncftpget ftp://ftp.openssl.org/source/openssl-0.9.6a.tar.gz tar zxvf openssl-0.9.6a.tar.gz cd openssl-0.9.6a ./config --prefix=/usr/local --openssldir=/usr/local/openssl make make test # make install cd certs # tar cBf - . | (cd /usr/local/openssl/certs/; tar xvBpf -) You might also want to make a symlink from /usr/local/openssl to /usr/local/ssl, since some programs expect ssl to be there: # ln -s /usr/local/openssl /usr/local/ssl 2. Get my patch which allows you to compile netpipes against OpenSSL from http://staff.washington.edu/~jdlarios/netpipes-openssl.patch 3. Get my somewhat-modified netpipes package from http://staff.washington.edu/jdlarios/netpipes-4.2-noexport.tar.gz mkdir netpipes cd netpipes tar zxvf /path/to/netpipes-4.2-noexport.tar.gz patch -p1 < /path/to/netpipes-openssl.patch make all ssl-auth # make install 4. Create a file called /usr/local/bin/imapssl-proxy which contains the following program: ---CUT HERE--- #!/bin/sh exec > /dev/null exec 2>&1 exec /usr/local/bin/faucet $1 --in --out --localhost 127.0.0.1 \ /usr/local/bin/hose "$2" 993 --fd 3 \ /usr/local/bin/ssl-auth --fd 3 --client \ --CApath /usr/local/openssl/certs/ --verify 1 >&0 ---CUT HERE--- Don't include the "---CUT HERE---" lines. Now, make the file executable: # chmod +x /usr/local/bin/imapssl-proxy 5. imapssl-proxy takes two arguments, a port number and a mail server name. I would use it like this: /usr/local/bin/imapsssl-proxy 8888 jdlarios.deskmail.washington.edu That would bind port 8888 on the machine I ran imapssl-proxy on to the imap deskmail server I use at the UW, using SSL. I would then configure my mail client to use IMAP, with the server being 127.0.0.1 and the port being 8888. If I couldn't configure the client to use a port of my choosing, I would have to run imapssl-proxy as root, like so: # /usr/local/bin/imapssl-proxy 143 jdlarios.deskmail.washington.edu You need to be root to bind to ports lower than 1024. Once I was done reading my mail, I would kill imapssl-proxy. Pressing control-c usually does the trick. While it's running, it doesn't produce any output. You'll know it's working if your mail client is able to make a connection. 6. If you have any questions, send me mail: jdlarios@cac.washington.edu This software is not supported by Computing and Communications, and if you write to help@cac.washington.edu with questions about it, they'll probably be annoyed. 7. These instructions create an ssl proxy for IMAP servers. If your mail client uses POP instead of IMAP, you can alter these instructions to work for you. In step 4, you created a file called /usr/local/bin/imapssl-proxy. Edit that file and replace the number 993 in the sixth line with the number 995. In other words, instead of the line being: /usr/local/bin/hose "$2" 993 --fd 3 \ it should be /usr/local/bin/hose "$2" 995 --fd 3 \ You might want to rename the file from imapssl-proxy to popssl-proxy, to remind you that it's a POP proxy instad of an IMAP one. All the other instructions remain the same, though. --Josh $Id: imapssl-with-nonssl-clients.txt,v 1.8 2001/06/06 21:23:56 jdlarios Exp $